相关申请的交叉引用Cross References to Related Applications
本申请要求于2015年10月22日提交的标题为“END USER INITIATED ACCESSSERVER AUTHENTICITY CHECK”的美国非临时专利申请No.14/920,807的权益和优先权,该申请的全部内容通过引用被结合于此用于所有目的。This application claims the benefit of and priority to U.S. Nonprovisional Patent Application No. 14/920,807, filed October 22, 2015, entitled "END USER INITIATED ACCESSSERVER AUTHENTICITY CHECK," which is hereby incorporated by reference in its entirety for all purposes.
技术领域technical field
一般而言,本申请涉及数据处理。更具体而言,本申请涉及用于使得用户能够验证控制对资源的访问的计算系统的真实性的技术。In general, this application relates to data processing. More specifically, the present application relates to techniques for enabling users to verify the authenticity of computing systems that control access to resources.
背景技术Background technique
现代企业依赖各种控制和生成对商业运营至关重要的信息的应用和系统。不同的应用常常提供不同的服务和信息,并且不同的用户可以需要访问每个系统或应用内的不同级别的信息。用户被授予的访问级别可以取决于用户的角色。例如,经理可以需要访问关于向其报告的员工的某些信息,但是让那个经理访问关于他向其报告的人的相同信息可能不恰当。Modern businesses rely on applications and systems that control and generate information critical to business operations. Different applications often provide different services and information, and different users may need to access different levels of information within each system or application. The level of access a user is granted may depend on the user's role. For example, a manager may need to have access to certain information about the employees who report to him, but it may not be appropriate for that manager to have access to the same information about the people he reports to.
之前,较不复杂的应用将访问管理业务逻辑直接结合到应用代码中。即,例如,每个应用将需要用户拥有单独的账户、单独的策略逻辑和单独的权限。此外,当用户通过这些应用之一进行认证时,这种认证对于企业中的其它应用仍然未知,因为关于第一应用的认证已发生的事实不共享。因此,在使用不同系统进行认证和访问控制的应用之间没有信任概念。工程师们很快意识到,为企业中的每个应用设置访问管理系统就像为每辆车配备加油站,并且确定认证和访问控制将作为共享资源更高效地被实现和管理。这些共享资源被称为访问管理系统。Previously, less complex applications incorporated access management business logic directly into the application code. That is, for example, each application would require the user to have a separate account, separate policy logic, and separate permissions. Furthermore, when a user authenticates with one of these applications, this authentication remains unknown to other applications in the enterprise because the fact that authentication has occurred with the first application is not shared. Therefore, there is no concept of trust between applications that use different systems for authentication and access control. Engineers quickly realized that having an access management system for every application in the enterprise was like having a gas station for every car, and determined that authentication and access control would be implemented and managed more efficiently as shared resources. These shared resources are called access management systems.
访问管理系统常常使用策略和其它业务逻辑来确定是否应当将特定访问请求授予特定资源。在确定应当授予访问之后,向请求者提供令牌。这个令牌就像钥匙,可以用来打开保护受限数据的门。例如,用户可以尝试访问人力资源数据库以搜集关于某些员工的信息)诸如工资信息)。用户的web浏览器向应用发出请求,该请求需要认证。如果web浏览器没有令牌,那么会要求用户登录访问管理系统。当用户通过认证时,用户的浏览器接收表示可用于访问人力资源应用的令牌的cookie。Access management systems often use policies and other business logic to determine whether a particular access request should be granted to a particular resource. After determining that access should be granted, the token is provided to the requester. This token is like a key that can be used to open doors that protect restricted data. For example, a user may attempt to access a human resources database to gather information about certain employees, such as salary information). The user's web browser makes a request to the application, which requires authentication. If the web browser does not have a token, then the user is required to log in to access the management system. When the user is authenticated, the user's browser receives a cookie representing a token that can be used to access the human resources application.
在企业中,用户(例如,员工)通常可以访问一个或多个不同的系统和应用。这些系统和应用中的每一个可以利用不同的访问控制策略并且需要不同的凭证(例如,用户名和密码)。单点登录(SSO)可以在初次登录之后为用户提供对多个系统和应用的访问。例如,当用户登录他们的工作计算机时,用户也可以访问一个或多个其它资源(诸如系统和应用)。访问管理系统可以质询用户,以检验他/她的身份,以确定对资源的访问。用户可以被质询基于“你拥有什么”、“你知道什么”和“你是谁”的组合的信息。In an enterprise, users (eg, employees) typically have access to one or more different systems and applications. Each of these systems and applications may utilize different access control policies and require different credentials (eg, username and password). Single sign-on (SSO) can provide users with access to multiple systems and applications after initial login. For example, when a user logs into their work computer, the user may also access one or more other resources (such as systems and applications). An access management system can challenge a user to verify his/her identity to determine access to resources. Users can be challenged for information based on a combination of "what you have", "what you know" and "who you are".
访问管理系统可以利用客户端设备上的图形用户界面来提示用户,以询问用户信息来检验用户的凭证。有时候,用户请求的信息可以包括敏感的机密信息,如果包括这些信息,那么可能威胁到个人的身份和个人信息(例如,财务信息或账户信息)。因此,用户在不确信请求该信息的系统是否确实控制对那些资源的访问的情况下可能会犹豫是否向系统(诸如服务器)提供敏感信息以获得对资源的访问。The access management system may utilize a graphical user interface on the client device to prompt the user to ask for user information to verify the user's credentials. Occasionally, the information requested by a user may include sensitive confidential information that, if included, may compromise an individual's identity and personal information (eg, financial or account information). Accordingly, users may be hesitant to provide sensitive information to a system (such as a server) to gain access to resources without being confident that the system requesting the information actually controls access to those resources.
随着持续的使用诸如欺诈和网络钓鱼等技术的身份盗用的基于技术的进步,用户甚至更不愿意在无法检验凭证请求的来源的情况下提供他们的凭证。例如,访问管理系统可以向用户提供私人信息,以让用户基于私人信息来确定访问管理系统的真实性。但是,在这种情景下,欺诈和网络钓鱼系统可能会访问可用于诱使用户认为请求认证的系统是合法的个人信息。在另一个示例中,访问管理系统可以用特殊代码联系另一个设备以进行附加的检验。但是,欺诈系统可以访问用户的联系人信息,并且可以使用这些信息来发送附加的检验信息。在还有的另一个示例中,网络钓鱼或欺诈系统可以通过未被访问管理系统控制的收集页面获取凭证信息来试图欺骗用户。在一种情景下,在客户端系统上,恶意浏览器插件可能被激活以充当访问管理系统来错误地从用户请求访问凭证。With continued technology-based advances in identity theft using techniques such as fraud and phishing, users are even more reluctant to provide their credentials without being able to verify the origin of the credential request. For example, an access management system may provide private information to a user to allow the user to determine the authenticity of the access management system based on the private information. However, in this scenario, fraudulent and phishing systems may have access to personal information that can be used to trick users into thinking that the system requesting authentication is legitimate. In another example, the access management system can contact another device with a special code for additional verification. However, the fraudulent system may have access to the user's contact information and may use this information to send additional verification information. In yet another example, a phishing or fraudulent system may attempt to deceive a user by obtaining credential information through a collection page not controlled by the access management system. In one scenario, on a client system, a malicious browser plug-in may be activated to act as an access management system to erroneously request access credentials from a user.
在一些情况下,客户端系统可以接收一次性代码(例如,密码),以使得操作客户端系统的用户能够经由访问管理系统访问资源。客户端系统如果被危及或被盗,那么可以使得操作客户端系统的用户能够使用一次性代码获得对资源的未授权的访问。用于身份盗窃的一些技术可以用于拦截由用户操作的客户端系统与访问管理系统之间的通信。拦截的通信可以用于从用户恳求身份或访问信息。In some cases, a client system may receive a one-time code (eg, a password) to enable a user operating the client system to access resources via the access management system. If the client system is compromised or stolen, the user operating the client system may be enabled to use the one-time code to gain unauthorized access to the resource. Some techniques for identity theft can be used to intercept communications between client systems operated by users and access management systems. Intercepted communications may be used to solicit identity or access information from users.
访问管理解决方案可能面临向用户提供使得用户能够启动对提供访问管理设施的系统的验证的能力的挑战。期望新技术来使得用户能够确定请求凭证信息访问资源的系统的真实性。Access management solutions may face the challenge of providing users with the ability to enable users to initiate authentication to systems providing access management facilities. New technologies are expected to enable users to determine the authenticity of systems requesting credential information to access resources.
发明内容Contents of the invention
本公开一般而言涉及管理对资源的访问。公开了用于使得用户能够验证计算系统(例如,访问管理系统)(诸如控制对一个或多个资源的访问的计算系统)的真实性的某些技术。具体而言,公开了用于使得用户能够在用户向访问管理系统提供凭证信息之前确定访问管理系统的真实性的技术。The present disclosure generally relates to managing access to resources. Certain techniques are disclosed for enabling a user to verify the authenticity of a computing system (eg, an access management system), such as a computing system that controls access to one or more resources. In particular, techniques are disclosed for enabling a user to determine the authenticity of an access management system before the user provides credential information to the access management system.
本文公开的实施例使得用户能够使用信息来检验访问管理系统的真实性。每次信息可能不同,并且用户可以使用这些最新信息来检验访问服务器的真实性。访问管理系统和客户端系统之间的数据交换可以被模拟为最终用户和访问管理系统之间的三次握手。因此,访问管理系统不需要泄露任何机密信息,除非用户利用临时数据证明自己。本文描述的技术通过向用户询问临时数据(“你拥有什么”)和密码(“你知道什么”)来防止使用被盗卡或移动设备所暴露的安全风险。三次握手确保了认证从最终用户和从访问服务器端的角度看是完美无瑕的。Embodiments disclosed herein enable users to use information to verify the authenticity of access management systems. The information may be different each time, and the user can use this latest information to verify the authenticity of the access server. The data exchange between the access management system and the client system can be modeled as a three-way handshake between the end user and the access management system. Therefore, the access management system does not need to disclose any confidential information unless the user proves himself with temporary data. The technique described in this paper prevents the security risks exposed by using a stolen card or mobile device by asking the user for temporary data (“what do you have”) and passwords (“what do you know”). The three-way handshake ensures that authentication is flawless from the perspective of the end user and from the perspective of the accessing server.
在一些实施例中,可以在客户端系统处向用户呈现使得用户能够请求访问管理系统的认证的界面,诸如图形用户界面(GUI)。该界面可以在从用户请求访问由访问管理系统控制的资源的凭证信息之前呈现。通过检验访问管理系统的真实性,可以确保用户不将凭证信息提供给由未授权用户控制的计算系统。通过使得用户能够验证访问管理系统的真实性,用户可以确保凭证信息和其它机密信息不会被未授权方或实体破坏。还可以确保用户访问管理系统本身没有受到破坏,使得在提供凭证时,这些凭证的接收者可以获得对期望资源的未授权访问。In some embodiments, the user may be presented with an interface, such as a graphical user interface (GUI), at the client system that enables the user to request authentication to access the management system. The interface may be presented prior to requesting credential information from the user to access resources controlled by the access management system. By verifying the authenticity of the access management system, it can be ensured that users do not provide credential information to computing systems controlled by unauthorized users. By enabling users to verify the authenticity of access to the management system, users can ensure that credential information and other confidential information will not be compromised by unauthorized parties or entities. It can also ensure that the user access management system itself has not been compromised such that when credentials are presented, the recipients of those credentials can gain unauthorized access to desired resources.
在本发明的一个方面中,请求系统验证的界面可以要求用户的标识信息以启动系统验证。标识信息可以使得访问管理系统能够识别用户以确定用于传送验证信息的联系人信息。联系人信息可以对应于作为系统验证的一部分访问管理系统可以与之通信的一个或多个目的地(例如,电子邮件地址或不同设备)。In one aspect of the invention, the interface requesting system authentication may require the user's identification information to initiate system authentication. The identification information may enable the access management system to identify the user to determine contact information for communicating authentication information. Contact information may correspond to one or more destinations (eg, email addresses or different devices) with which the access management system may communicate as part of system authentication.
在系统验证期间,访问管理系统可以发送受一个或多个标准(诸如时间)约束的临时数据(例如,临时访问信息)。临时访问信息可以被发送到请求系统验证的客户端系统和/或与用户相关联的任何目的地。访问管理系统可以作为系统验证处理的一部分经由界面请求临时访问信息。访问管理系统可以检验临时数据以确定它是否与发送给用户的数据匹配。During system authentication, the access management system may send temporary data (eg, temporary access information) that is subject to one or more criteria (such as time). Temporary access information may be sent to the client system requesting system authentication and/or to any destination associated with the user. The access management system may request temporary access information via the interface as part of the system authentication process. The access management system can check the temporary data to determine if it matches the data sent to the user.
在检验临时数据与先前发送给用户的数据匹配之后,访问管理系统可以将个人信息发送给用户作为系统验证的一部分。个人信息可以包括未授权用户可能不知道的敏感的机密信息(例如,当前财务信息)。个人信息可以被发送到与用户相关联的客户端系统和/或(一个或多个)目的地。通过界面,用户可以指示个人信息是否正确。机密信息可以是只有用户和访问管理系统才知道的信息。机密信息可以包括对于其它外部计算机系统如果不是不可能那么也是不太可能被欺诈性地拦截、猜测或获取的信息。After verifying that the temporary data matches data previously sent to the user, the access management system may send personal information to the user as part of system authentication. Personal information may include sensitive confidential information (eg, current financial information) that may not be known to unauthorized users. Personal information may be sent to the client system and/or destination(s) associated with the user. Through the interface, the user can indicate whether the personal information is correct. Confidential information can be information known only to the user and the access management system. Confidential information may include information that is unlikely, if not impossible, to be fraudulently intercepted, guessed, or obtained by other external computer systems.
通过界面,用户可以在检验个人信息时提供凭证信息。凭证信息可以用于确定用户的认证作为系统验证处理的一部分。在基于凭证成功验证用户之后,访问管理系统可以为用户建立会话以使得能够访问资源。Through the interface, users can provide credential information when verifying personal information. Credential information may be used to determine the user's authentication as part of the system authentication process. After successfully authenticating the user based on the credentials, the access management system can establish a session for the user to enable access to resources.
在一些实施例中,访问管理系统可以包括被配置为实现本文描述的方法和操作的计算系统。还有的其它实施例涉及采用或存储用于本文描述的方法和操作的指令的系统和机器可读的有形存储介质。In some embodiments, an access management system may include a computing system configured to implement the methods and operations described herein. Still other embodiments relate to systems and machine-readable tangible storage media that embody or store instructions for the methods and operations described herein.
在至少一个实施例中,一种方法可以包括从用户操作的计算设备接收验证请求以认证访问管理系统,该验证请求包括与用户相关联的用户标识信息。该方法可以包括基于用户标识信息向与用户相关联的目的地发送用于用户认证访问管理系统的临时访问信息。目的地可以是计算设备。目的地可以是与用户相关联的设备。设备可能与计算设备不同。该方法可以包括从计算设备接收包括临时访问信息的第一响应。该方法可以包括,在检验第一响应中接收到的临时访问信息之后,由计算系统向计算设备发送关于用户的个人信息。该方法可以包括从计算设备接收第二响应,第二响应指示用户对个人信息的确认,并且第二响应包括用户的凭证数据。该方法可以包括确定用户从计算设备访问资源的认证。认证可以基于在第二响应中接收到的凭证数据和个人信息的确认来确定。In at least one embodiment, a method may include receiving an authentication request from a computing device operated by a user to authenticate an access management system, the authentication request including user identification information associated with the user. The method may include sending temporary access information for user authentication to access the management system to a destination associated with the user based on the user identification information. The destination can be a computing device. The destination may be a device associated with the user. A device may be different than a computing device. The method can include receiving a first response from the computing device that includes temporary access information. The method may include, after verifying the temporary access information received in the first response, sending, by the computing system, personal information about the user to the computing device. The method may include receiving a second response from the computing device, the second response indicating user confirmation of the personal information, and the second response including credential data for the user. The method can include determining authentication of a user to access a resource from a computing device. Authentication may be determined based on confirmation of credential data and personal information received in the second response.
在一些实施例中,该方法可以包括在确定用户未被认证从计算设备访问资源之后,向计算设备发送对用户的凭证信息的请求。计算设备可以响应于对凭证信息的请求而发送验证请求。In some embodiments, the method may include sending a request to the computing device for credential information of the user after determining that the user is not authenticated to access the resource from the computing device. A computing device may send a verification request in response to a request for credential information.
在一些实施例中,可以从目的地接收第一响应。In some embodiments, a first response may be received from the destination.
在一些实施例中,该方法可以包括确定用户标识信息与用户相关联;并且基于用户标识信息来识别目的地。In some embodiments, the method may include determining that user identification information is associated with the user; and identifying the destination based on the user identification information.
在一些实施例中,临时访问信息与时间段相关联。检验临时访问信息可以包括确定响应时间在该时间段内。响应时间可以基于在临时访问信息被发送到计算设备之后用于接收第一响应的时间。In some embodiments, temporary access information is associated with a time period. Verifying the temporary access information may include determining that the response time is within the time period. The response time may be based on the time to receive the first response after the temporary access information is sent to the computing device.
在一些实施例中,该方法可以包括在检验第一响应中接收到的临时访问信息之后,在发送个人信息之前生成个人信息。In some embodiments, the method may include generating the personal information prior to sending the personal information after verifying the temporary access information received in the first response.
在一些实施例中,个人信息包括在检验临时访问信息之后确定的关于用户的财务信息。In some embodiments, the personal information includes financial information about the user determined after checking the temporary access information.
通过参考以下说明书、权利要求书和附图,前述内容以及其它特征和实施例将变得更加明显。The foregoing and other features and embodiments will become more apparent by reference to the following specification, claims and drawings.
附图说明Description of drawings
下面参考以下附图详细描述本发明的说明性实施例:Illustrative embodiments of the present invention are described in detail below with reference to the following drawings:
图1图示了根据实施例的用于使得用户能够验证访问管理系统的真实性的系统的高级图。Figure 1 illustrates a high-level diagram of a system for enabling a user to verify authenticity of an access management system, according to an embodiment.
图2图示了根据实施例的用于使得用户能够验证访问管理系统的真实性的系统的高级图。Figure 2 illustrates a high-level diagram of a system for enabling a user to verify authenticity of an access management system, according to an embodiment.
图3-4图示了根据实施例的示出用于使得用户能够验证访问管理系统的真实性的操作的序列图。3-4 illustrate sequence diagrams showing operations for enabling a user to verify authenticity of an access management system, according to an embodiment.
图5描绘了根据实施例的图示用于使得用户能够验证访问管理系统的真实性的处理的流程图。5 depicts a flowchart illustrating a process for enabling a user to verify authenticity of an access management system, according to an embodiment.
图6-9图示了根据实施例的用于使得用户能够验证访问管理系统的真实性的处理的图形用户界面(GUI)。6-9 illustrate a graphical user interface (GUI) for a process of enabling a user to verify the authenticity of an access management system, according to an embodiment.
图10描绘了用于实现实施例的分布式系统的简化图。Figure 10 depicts a simplified diagram of a distributed system for implementing an embodiment.
图11图示了根据本公开的实施例的其中服务可以作为云服务提供的系统环境的一个或多个部件的简化框图。11 illustrates a simplified block diagram of one or more components of a system environment in which services may be provided as cloud services, according to an embodiment of the disclosure.
图12图示了可以用于实现本发明的实施例的示例性计算机系统。Figure 12 illustrates an exemplary computer system that may be used to implement embodiments of the present invention.
具体实施方式Detailed ways
在以下描述中,为了说明的目的,阐述了具体的细节,以便提供对本发明的实施例的透彻理解。但是,显而易见的是,各种实施例可以在没有这些具体细节的情况下实践。例如,电路、系统、算法、结构、技术、网络、处理和其它部件可以以框图形式示为部件,以免用不必要的细节混淆实施例。附图和描述不旨在是限制性的。In the following description, for purposes of explanation, specific details are set forth in order to provide a thorough understanding of embodiments of the invention. It may be evident, however, that various embodiments may be practiced without these specific details. For example, circuits, systems, algorithms, structures, techniques, networks, processing and other components may be shown in block diagram form as components in order not to obscure the embodiments with unnecessary detail. The drawings and descriptions are not intended to be limiting.
本公开一般而言涉及提供单点登录(SSO)访问。基于凭证信息(例如,用户名和密码)的认证,SSO会话可以在初始认证之后向用户提供对一个或多个系统的访问。对系统的访问可以提供对一个或多个资源的访问。资源可以包括由计算系统管理和/或存储的任何项目,诸如应用、文档、文件、电子内容等。资源可以由统一资源定位符(URL)或指示资源的来源的其它数据识别。The present disclosure generally relates to providing single sign-on (SSO) access. Based on authentication of credential information (eg, username and password), an SSO session can provide a user with access to one or more systems after initial authentication. Access to the system may provide access to one or more resources. A resource may include any item managed and/or stored by a computing system, such as applications, documents, files, electronic content, and the like. A resource may be identified by a Uniform Resource Locator (URL) or other data indicating the source of the resource.
公开了用于使得用户能够验证计算系统(例如,访问管理系统)(诸如控制对一个或多个资源的访问的计算系统)的真实性的某些技术。具体而言,公开了用于使得用户能够在用户向访问管理系统提供凭证信息之前确定访问管理系统的真实性的技术。Certain techniques are disclosed for enabling a user to verify the authenticity of a computing system (eg, an access management system), such as a computing system that controls access to one or more resources. In particular, techniques are disclosed for enabling a user to determine the authenticity of an access management system before the user provides credential information to the access management system.
本文公开的实施例使得用户能够使用信息来检验访问管理系统的真实性。每次信息可能不同,并且用户可以使用这些最新信息来检验访问服务器的真实性。访问管理系统和客户端系统之间的数据交换可以被模拟为最终用户和访问管理系统之间的三次握手。因此,访问管理系统不需要泄露任何机密信息,除非用户利用临时数据证明自己。本文描述的技术通过向用户询问临时数据(“你拥有什么”)和密码(“你知道什么”)来防止使用被盗卡或移动设备所暴露的安全风险。三次握手确保了认证从最终用户和从访问服务器端的角度看是完美无瑕的。Embodiments disclosed herein enable users to use information to verify the authenticity of access management systems. The information may be different each time, and the user can use this latest information to verify the authenticity of the access server. The data exchange between the access management system and the client system can be modeled as a three-way handshake between the end user and the access management system. Therefore, the access management system does not need to disclose any confidential information unless the user proves himself with temporary data. The technique described in this paper prevents the security risks exposed by using a stolen card or mobile device by asking the user for temporary data (“what do you have”) and passwords (“what do you know”). The three-way handshake ensures that authentication is flawless from the perspective of the end user and from the perspective of the accessing server.
公开了用于使得用户能够验证访问管理系统的真实性的一些实施例,诸如系统、方法和机器可读介质。图1图示了系统100,其中访问会话中可访问的资源的用户(例如,用户102)可以启动处理来验证访问管理系统140的真实性。用户可能期望验证访问管理系统或任何计算系统的真实性,以确保访问信息(例如,密码或机密信息)不会受到未授权系统的破坏。为了图示的目的,如本文描述的“会话”包括SSO会话;但是,会话可以包括使得能够访问用户的其它类型的会话。访问管理系统140可以提供对一个或多个资源的访问。访问管理系统140可以实现登录系统(例如,SSO系统),其可以建立SSO会话以提供对一个或多个资源的SSO访问。Some embodiments, such as systems, methods, and machine-readable media, for enabling a user to verify authenticity of an access management system are disclosed. FIG. 1 illustrates a system 100 in which a user (eg, user 102 ) accessing a resource accessible in a session can initiate a process to verify the authenticity of the access management system 140 . Users may desire to verify the authenticity of an access management system or any computing system to ensure that access information (eg, passwords or confidential information) is not compromised by unauthorized systems. For purposes of illustration, a "session" as described herein includes an SSO session; however, a session may include other types of sessions that enable access to a user. Access management system 140 may provide access to one or more resources. Access management system 140 can implement a login system (eg, an SSO system) that can establish an SSO session to provide SSO access to one or more resources.
资源可以包括但不限于文件、网页、文档、web内容、计算资源或应用。例如,系统100可以包括诸如应用120和/或通过那些应用120可访问的内容之类的资源。可以使用应用来请求和访问资源。例如,应用可以基于识别所请求的资源的URL来请求对来自资源服务器的网页的访问。资源可以由一个或多个计算系统提供,例如,在SSO系统中进行了用户102的认证之后提供对一个或多个资源的访问的资源服务器。Resources may include, but are not limited to, files, web pages, documents, web content, computing resources, or applications. For example, system 100 may include resources such as applications 120 and/or content accessible through those applications 120 . Applications can be used to request and access resources. For example, an application may request access to a web page from a resource server based on identifying a URL of the requested resource. Resources may be provided by one or more computing systems, eg, a resource server that provides access to one or more resources after authentication of user 102 in an SSO system.
可以向操作客户端设备(例如,客户端设备104)的用户102呈现接受输入以使得用户能够与访问管理系统(例如,访问管理系统140)交互的一个或多个界面。界面的示例可以包括参考图6-9描述的图形用户界面(GUI)。界面可使用在客户端设备104上执行的应用(例如,应用108)访问。在用户102启动与用于用户102的认证的访问管理系统140的访问处理之前,界面可以接收请求验证访问管理系统140的真实性的输入。当从用户102接收到验证访问管理系统140的请求时,访问管理系统140可以启动访问管理系统140和由用户102操作的客户端设备104通过其进行通信的处理以使得用户能够验证访问管理系统140。用户与访问管理系统140之间的通信使得访问管理系统140能够检验它正在与为用户建立访问的实际用户通信。通信在客户端设备和访问管理系统140之间建立三次握手,以在用户和访问管理系统之间建立用于认证的信任以向用户提供对资源的访问。User 102 operating a client device (eg, client device 104 ) may be presented with one or more interfaces that accept input to enable the user to interact with the access management system (eg, access management system 140 ). Examples of interfaces may include the graphical user interfaces (GUIs) described with reference to FIGS. 6-9. The interface can be accessed using an application (eg, application 108 ) executing on client device 104 . Before user 102 initiates an access process with access management system 140 for authentication of user 102 , the interface may receive input requesting verification of authenticity of access management system 140 . Upon receiving a request to authenticate access management system 140 from user 102, access management system 140 may initiate a process by which access management system 140 and client device 104 operated by user 102 communicate to enable the user to authenticate access management system 140 . Communication between the user and the access management system 140 enables the access management system 140 to verify that it is communicating with the actual user who established access for the user. Communication establishes a three-way handshake between the client device and the access management system 140 to establish trust between the user and the access management system for authentication to provide the user with access to resources.
访问管理系统140可以由计算系统实现。计算系统可以包括一个或多个计算机和/或服务器(例如,一个或多个访问管理器服务器),其可以是通用计算机、专用服务器计算机(作为示例,包括PC服务器、UNIX服务器、中程服务器、大型计算机、机架式服务器,等等)、服务器场、服务器集群、分布式服务器,或任何其它适当的布置和/或其组合。访问管理系统140可以运行任何数量的操作系统或各种附加服务器应用和/或中间层应用,包括HTTP服务器、FTP服务器、CGI服务器、Java服务器、数据库服务器等。示例性数据库服务器包括但不限于可从Oracle、Microsoft等商购获得的那些数据库服务器。访问管理系统140可以使用硬件、固件、软件或其组合来实现。Access management system 140 may be implemented by a computing system. The computing system may include one or more computers and/or servers (e.g., one or more access manager servers), which may be general purpose computers, special purpose server computers (including, by way of example, PC servers, UNIX servers, mid-range servers, mainframe computers, rack-mounted servers, etc.), server farms, server clusters, distributed servers, or any other suitable arrangement and/or combination thereof. Access management system 140 may run any number of operating systems or various additional server applications and/or middle-tier applications, including HTTP servers, FTP servers, CGI servers, Java servers, database servers, and the like. Exemplary database servers include, but are not limited to, those commercially available from Oracle, Microsoft, and the like. Access management system 140 may be implemented using hardware, firmware, software, or a combination thereof.
在一些实施例中,访问管理系统140可以由在数据中心中部署为集群的多个计算设备(例如,访问管理器服务器)实现,这允许可伸缩性和高可用性。多个这种具有访问管理器服务器集群的地理上分散的数据中心可以被连接(有线或无线),以构成多数据中心(MDC)系统。MDC系统可以满足企业计算机网络内访问服务器的高可用性、负载分布和灾难恢复要求。MDC系统可以充当单个逻辑访问服务器,以支持针对访问管理系统140的SSO服务。In some embodiments, access management system 140 may be implemented by multiple computing devices (eg, access manager servers) deployed as a cluster in a data center, which allows for scalability and high availability. Multiple such geographically dispersed data centers with access manager server clusters can be connected (wired or wireless) to form a multi-data center (MDC) system. The MDC system can meet the high availability, load distribution and disaster recovery requirements of the access server in the enterprise computer network. The MDC system can act as a single logical access server to support SSO services for the access management system 140 .
访问管理系统140可以包括至少一个存储器、一个或多个处理单元(或(一个或多个)处理器)和存储器。(一个或多个)处理单元可以用硬件、计算机可执行指令、固件或其组合适当地实现。在一些实施例中,访问管理系统140可以包括若干子系统和/或模块。例如,访问管理系统140可以包括会话引擎142、授权引擎144、系统验证管理器146和个人信息处理机148,其中的每一个可以用硬件、在硬件上执行的软件(例如,程序代码、可由处理器执行的指令)或其组合来实现。在一些实施例中,软件可以存储在存储器(例如,非瞬态计算机可读介质)中、存储器设备上或某种其它物理存储器上,并且可以由一个或多个处理单元执行(例如,一个或多个处理器、一个或多个处理器核心、一个或多个GPU等等)。(一个或多个)处理单元的计算机可执行指令或固件实现可以包括以任何合适的编程语言编写以执行本文描述的各种操作、功能、方法和/或处理的计算机可执行指令或机器可执行指令。存储器可以存储可在(一个或多个)处理单元上加载和执行的程序指令,以及在这些程序的执行期间生成的数据。存储器可以是易失性的(诸如随机存取存储器(RAM))和/或非易失性的(诸如只读存储器(ROM)、闪存等等)。存储器可以使用任何类型的持久存储设备(诸如计算机可读存储介质)来实现。在一些实施例中,计算机可读存储介质可以被配置为保护计算机免受包含恶意代码的电子通信。计算机可读存储介质可以包括存储在其上的指令,所述指令在处理器上执行时执行本文描述的操作。Access management system 140 may include at least one memory, one or more processing units (or processor(s)), and memory. The processing unit(s) may be suitably implemented in hardware, computer-executable instructions, firmware or a combination thereof. In some embodiments, access management system 140 may include several subsystems and/or modules. For example, access management system 140 may include session engine 142, authorization engine 144, system authentication manager 146, and personal information handler 148, each of which may be implemented in hardware, software (e.g., program code, Instructions executed by the machine) or a combination thereof. In some embodiments, software may be stored in memory (e.g., a non-transitory computer-readable medium), on a memory device, or on some other physical storage, and executed by one or more processing units (e.g., one or more multiple processors, one or more processor cores, one or more GPUs, etc.). A computer-executable instruction or firmware implementation of the processing unit(s) may include computer-executable instructions or machine-executable instructions written in any suitable programming language to perform the various operations, functions, methods and/or processes described herein. instruction. The memory may store program instructions that are loadable and executable on the processing unit(s), as well as data generated during the execution of these programs. The memory may be volatile (such as random access memory (RAM)) and/or nonvolatile (such as read only memory (ROM), flash memory, etc.). The memory can be implemented using any type of persistent storage device, such as a computer readable storage medium. In some embodiments, a computer readable storage medium may be configured to protect a computer from electronic communications containing malicious code. A computer-readable storage medium may include instructions stored thereon that, when executed on a processor, perform the operations described herein.
图1示出了其中用户102可以在启动认证处理(例如,用户提交凭证信息)之前进行与访问管理系统140的通信以验证访问管理系统140的示例。在这个示例中,操作客户端设备104的用户102可以尝试访问诸如应用108的资源,例如,应用120中的任何一个或者可通过应用120访问的资源。在成功认证用户102的信息凭证之后,应用120可以被用户102访问。在应用120之一可被在客户端设备104处的用户102访问之前,用户102可以针对向用户102提供对应用120的访问的会话进行认证。客户端设备104可以通过从访问管理系统140请求访问来启动认证处理。认证处理可以包括显示一个或多个GUI以接收用户的凭证信息并向访问管理系统140提交认证的请求的客户端设备104。可以基于检验用户102的凭证信息来建立认证。FIG. 1 illustrates an example where a user 102 may communicate with the access management system 140 to authenticate the access management system 140 prior to initiating the authentication process (eg, the user submits credential information). In this example, user 102 operating client device 104 may attempt to access a resource such as application 108 , eg, any of applications 120 or a resource accessible through application 120 . Application 120 may be accessed by user 102 after successfully authenticating user 102 information credentials. Before one of the applications 120 can be accessed by the user 102 at the client device 104 , the user 102 can authenticate for a session that provides the user 102 with access to the applications 120 . Client device 104 may initiate the authentication process by requesting access from access management system 140 . The authentication process may include the client device 104 displaying one or more GUIs to receive the user's credential information and submitting a request for authentication to the access management system 140 . Authentication may be established based on verifying user 102 credential information.
在尝试访问应用时,用户102可以操作经由访问管理系统140管理对用户账户的访问的应用(例如,应用108)。例如,应用108是可以呈现GUI的访问管理应用,诸如在图6-9中所绘出的。使用应用108,用户102可以启动验证处理以确定访问管理系统140的真实性(即,访问管理系统140是否负责用户102的认证)。验证处理可以包括从客户端设备104到访问管理系统140的一个或多个通信130(“用户验证通信”)。验证处理可以包括从访问管理系统140到一个或多个客户端设备(例如,客户端设备104)的、与启动验证处理的用户相关联的一个或多个通信132(“系统验证通信”)。验证处理的一些实施例在下面进一步描述。In attempting to access an application, user 102 may operate an application (eg, application 108 ) that manages access to the user account via access management system 140 . For example, application 108 is an access management application that can present a GUI, such as depicted in FIGS. 6-9. Using application 108, user 102 may initiate an authentication process to determine the authenticity of access management system 140 (ie, whether access management system 140 is responsible for authentication of user 102). The authentication process may include one or more communications 130 from the client device 104 to the access management system 140 (“user authentication communications”). The authentication process may include one or more communications 132 from the access management system 140 to one or more client devices (eg, client device 104 ) associated with the user initiating the authentication process ("system authentication communications"). Some embodiments of the verification process are described further below.
客户端设备104和访问管理系统140之间的通信可以通过网关系统来接收。网关系统可以支持访问管理服务。例如,单点登录(SSO)网关可以实现一个或多个访问代理(诸如代理106(例如,web网关代理))以平衡和/或处理来自客户端和访问管理系统140的请求。Communications between client devices 104 and access management system 140 may be received through a gateway system. The gateway system can support access management services. For example, a single sign-on (SSO) gateway may implement one or more access proxies, such as proxy 106 (eg, web gateway proxy) to balance and/or process requests from clients and access management system 140 .
在至少一个实施例中,验证处理可以由用户102在应用108中启动。应用108可以呈现提示用户102输入凭证信息的GUI。当用户不再被认证时,可以请求凭证信息。会话的缺失或会话的到期可以促使访问管理系统140向用户102请求用于受保护的资源的凭证信息。应用108可以呈现使得用户102能够在提供凭证信息之前请求验证访问管理系统140的GUI。在启动对系统验证的请求之后,可以从客户端设备104向访问管理系统140发送用户验证通信130(例如,系统验证请求)以启动访问管理系统140的验证。具体而言,系统验证可以确定处理访问管理系统140的认证的计算系统的真实性。In at least one embodiment, the verification process may be initiated by the user 102 within the application 108 . Application 108 may present a GUI that prompts user 102 to enter credential information. Credential information may be requested when the user is no longer authenticated. The absence or expiration of a session may cause access management system 140 to request credential information for the protected resource from user 102 . Application 108 may present a GUI that enables user 102 to request authentication for access to management system 140 before providing credential information. After initiating a request for system authentication, a user authentication communication 130 (eg, a system authentication request) may be sent from client device 104 to access management system 140 to initiate authentication by access management system 140 . Specifically, system verification may determine the authenticity of the computing system processing authentication to access management system 140 .
在接收到系统验证请求之后,访问管理系统140的系统验证管理器146可以管理系统验证。系统验证管理器146可以确定用于用户102检验的临时访问信息(例如,一次性密码)。临时访问信息可以受一个或多个标准(例如,时间)的约束。临时访问信息的示例可以包括密码、代码、令牌、密钥或受一个或多个标准约束的其它信息。临时访问信息可以在接收到系统验证请求时生成,或者可以先前生成。访问管理系统140可以将临时访问信息存储在数据存储库160中(“临时密码”)。After receiving a system authentication request, system authentication manager 146 of access management system 140 may manage system authentication. System authentication manager 146 may determine temporary access information (eg, a one-time password) for user 102 authentication. Temporary access information may be subject to one or more criteria (eg, time). Examples of temporary access information may include passwords, codes, tokens, keys, or other information subject to one or more criteria. Temporary access information may be generated when a system authentication request is received, or may be generated previously. Access management system 140 may store temporary access information in data store 160 ("temporary passwords").
系统验证管理器146可以将系统验证通信132中的临时访问信息发送到客户端设备104,以由用户102接收。用户102可以操作客户端设备104以将用户验证通信130与临时访问信息一起发送到访问管理系统140。访问管理系统140可以检验用户返回的临时访问信息以确定它是否匹配先前发送给用户102的内容。System verification manager 146 may send the temporary access information in system verification communication 132 to client device 104 for receipt by user 102 . User 102 may operate client device 104 to send user verification communication 130 to access management system 140 along with the temporary access information. Access management system 140 may examine the temporary access information returned by the user to determine if it matches content previously sent to user 102 .
访问管理系统140的个人信息处理机148可以生成可能仅由用户已知或可访问的个人信息。在一些实施例中,可以获得不是正被验证的访问管理系统的一部分的第三方来源(例如,财务系统或提供个人信息的系统)的个人信息。用户102可能先前已经向访问管理系统140注册,从而从一个或多个源(例如第三方系统)提供访问个人信息的信息。个人信息可以包括与用户相关联的最近信息,该最近信息不能以其它方式被不具有访问该信息的特权的未授权用户访问。个人信息可以存储在数据存储库中,例如,数据存储库170(“个人信息”)中。最近个人信息可以包括例如从当前财务记录(例如,银行记录)获得的财务信息。为了确保个人信息基于当前记录,个人信息处理机148可以在系统验证管理器146检验临时访问信息之后确定个人信息。Personal information handler 148 of access management system 140 may generate personal information that may only be known or accessible by the user. In some embodiments, personal information may be obtained from third party sources that are not part of the access management system being authenticated (eg, financial systems or systems that provide personal information). User 102 may have previously registered with access management system 140, providing access to personal information from one or more sources (eg, third-party systems). Personal information may include recent information associated with a user that cannot otherwise be accessed by unauthorized users who do not have privileges to access that information. Personal information may be stored in a data store, such as data store 170 ("Personal Information"). Recent personal information may include, for example, financial information obtained from current financial records (eg, bank records). To ensure that personal information is based on current records, personal information handler 148 may determine personal information after system authentication manager 146 verifies the temporary access information.
系统验证管理器146可以将包括个人信息的系统验证通信132发送到客户端设备104。客户端设备104可以呈现显示个人信息的界面并且使用该界面,用户102可以指示个人信息是否正确。如果用户指示个人信息是正确的,则界面可以接受凭证信息以确定用户的认证。如果个人信息不正确,则用户可以如此指示并且可以选择不提供凭证信息。因此,个人信息的检验使得用户102能够确定访问管理系统140是否是真实的。如果个人信息不正确,则用户102可以确定访问管理系统140不是真实的,从而防止用户将凭证信息共享到可能未授权的计算系统。System verification manager 146 may send system verification communication 132 including personal information to client device 104 . Client device 104 may present an interface displaying the personal information and using this interface, user 102 may indicate whether the personal information is correct. If the user indicates that the personal information is correct, the interface may accept the credential information to determine the user's authentication. If the personal information is incorrect, the user may indicate so and may choose not to provide credential information. Thus, verification of personal information enables user 102 to determine whether access management system 140 is authentic. If the personal information is incorrect, user 102 can determine that access management system 140 is not authentic, thereby preventing the user from sharing credential information to potentially unauthorized computing systems.
基于对凭证信息的成功认证,用户102可以访问资源(例如,应用120)。在接收到凭证信息之后,会话引擎142就可以检验所请求的资源(例如,应用170)是否是需要凭证来访问的受保护资源。会话引擎142可以请求授权引擎144确定对资源的访问是否受到保护。在确定对资源的访问未被保护时,会话引擎142可以准许访问资源。在确定对资源的访问受到保护时,会话引擎142可以基于凭证信息来确定用户102的认证。在确定用户102的认证之后,授权引擎144可以基于对用户102许可的访问来确定用户102是否被授权访问资源。会话引擎142可以向客户端设备104发送通信以指示对资源的访问是否被用户102允许。基于访问是否被允许,应用108可以对用户102启用。Based on successful authentication of the credential information, user 102 can access resources (eg, applications 120). After receiving the credential information, session engine 142 can then verify whether the requested resource (eg, application 170 ) is a protected resource that requires credentials to access. Session engine 142 may request authorization engine 144 to determine whether access to a resource is protected. Upon determining that access to the resource is not protected, session engine 142 may grant access to the resource. Upon determining that access to the resource is protected, session engine 142 may determine authentication of user 102 based on the credential information. After determining authentication of user 102, authorization engine 144 may determine whether user 102 is authorized to access resources based on the access granted to user 102. Session engine 142 may send a communication to client device 104 indicating whether access to the resource is permitted by user 102 . Based on whether access is allowed, the application 108 can be enabled to the user 102 .
访问管理系统140可以提供许多SSO服务,包括对资源的访问(例如,授予/拒绝访问)的管理、自动登录、应用密码的改变和重置、会话管理、应用凭证供应以及会话的认证。在一些实施例中,访问管理系统140可以为应用120(诸如运行或从客户端设备访问的应用、Web应用、应用以及基于大型机/终端的应用)提供自动单点登录功能。如以上所解释的,访问管理系统120可以执行对操作客户端设备(例如,客户端设备104)的用户(例如,用户102)的认证。认证是通过其检验用户以确定他/她是他/她所宣称的人的处理。Access management system 140 may provide a number of SSO services, including management of access to resources (eg, granting/denying access), automatic login, application password change and reset, session management, application credential provisioning, and authentication of sessions. In some embodiments, access management system 140 may be an application 120 (such as an application, web application, applications and mainframe/terminal-based applications) to provide automatic single sign-on. As explained above, access management system 120 may perform authentication of a user (eg, user 102 ) operating a client device (eg, client device 104 ). Authentication is the process by which a user is verified to determine that he/she is who he/she claims to be.
在一些实施例中,访问管理系统140可以使用存储在数据存储180(“策略”)中的一个或多个策略来控制对资源的访问。策略180可以包括认证策略,该认证策略指定要用于认证必须为其提供对给定资源的访问的用户的认证方法。策略180定义其中资源访问受保护的方式(例如,加密的类型等)。策略180可以包括指定用户或用户的组可以访问资源的条件的授权策略。例如,管理员只能授权组内的某些用户访问特定资源。访问管理系统140可以基于策略180中的一个或多个来确定SSO会话的认证。In some embodiments, access management system 140 may control access to resources using one or more policies stored in data store 180 ("policies"). Policies 180 may include authentication policies that specify authentication methods to be used to authenticate users for whom access to a given resource must be provided. Policy 180 defines the manner in which resource access is protected (eg, type of encryption, etc.). Policies 180 may include authorization policies that specify conditions under which a user or group of users may access resources. For example, an administrator can only authorize certain users within a group to access certain resources. Access management system 140 may determine authentication of the SSO session based on one or more of policies 180 .
访问管理系统140还可以包括或耦合到附加的存储装置,该存储装置可以使用任何类型的永久性存储设备(诸如存储器存储设备或其它非瞬态计算机可读存储介质)来实现。在一些实施例中,本地存储装置可以包括或实现一个或多个数据库(例如,文档数据库、关系数据库或其它类型的数据库)、一个或多个文件存储库、一个或多个文件系统,或其组合。例如,访问管理系统140耦合到或包括用于存储诸如临时密码160、个人信息170和策略160之类的数据的一个或多个数据存储库。存储器和附加的存储装置都是计算机可读存储介质的示例。例如,计算机可读存储介质可以包括以用于存储信息(诸如计算机可读指令、数据结构、程序模块或其它数据)的任何方法或技术实现的易失性或非易失性、可移动或不可移动介质。Access management system 140 may also include or be coupled to additional storage, which may be implemented using any type of persistent storage, such as memory storage or other non-transitory computer-readable storage media. In some embodiments, local storage may include or implement one or more databases (e.g., document databases, relational databases, or other types of databases), one or more file repositories, one or more file systems, or combination. For example, access management system 140 is coupled to or includes one or more data repositories for storing data such as temporary passwords 160 , personal information 170 , and policies 160 . The memory and additional storage devices are examples of computer-readable storage media. For example, a computer-readable storage medium may include volatile or nonvolatile, removable or non-volatile memory devices implemented in any method or technology for storage of information, such as computer-readable instructions, data structures, program modules, or other data. removable media.
会话引擎142可以处理处理,以确定是否存在让用户102访问资源的有效会话。会话引擎142检查让用户102访问受保护的请求资源的有效会话。会话引擎142可以基于对适用于用户102的一个或多个访问策略的考虑来评估用户102的会话的有效性。基于确定不存在用于用户102的有效会话,会话引擎102可以从用户102请求108凭证信息(“凭证”)。凭证信息的成功认证可以向用户提供对可以包括所请求的资源的一个或多个资源的访问。Session engine 142 may handle processing to determine whether there is a valid session for user 102 to access a resource. Session engine 142 checks for valid sessions that allow user 102 to access the protected requested resource. Session engine 142 may evaluate the validity of user 102's session based on consideration of one or more access policies applicable to user 102 . Based on determining that no valid session exists for user 102 , session engine 102 may request 108 credential information (“credentials”) from user 102 . Successful authentication of the credential information may provide the user with access to one or more resources, which may include the requested resource.
请求可以被传送到客户端设备104,客户端设备104作为响应提示用户102输入用户凭证,以确定会话的认证。请求可以包括到接收凭证信息的网页或用户界面(例如,网页、门户或表盘)的信息(例如,URL)。请求可以被传送到客户端设备104,客户端设备104作为响应提示用户102输入用户凭证以确定会话的认证。The request may be communicated to client device 104, which in response prompts user 102 for user credentials to determine authentication of the session. The request may include information (eg, a URL) to a web page or user interface (eg, a web page, portal, or watch face) that receives credential information. The request may be communicated to client device 104, which in response prompts user 102 for user credentials to determine authentication of the session.
会话引擎142可以执行操作以认证用户102的凭证信息。在一些实施例中,会话引擎142可以存储关于在成功认证用户时建立的会话的信息。对于SSO会话(例如,SSO认证的会话),可以将SSO会话作为SSO会话进行管理,该SSO会话使得能够基于对用户的凭证信息的成功认证来访问用户可访问的所有资源。Session engine 142 may perform operations to authenticate credential information of user 102 . In some embodiments, session engine 142 may store information about sessions established upon successful authentication of a user. For an SSO session (eg, an SSO-authenticated session), the SSO session may be managed as an SSO session that enables access to all resources accessible to the user based on successful authentication of the user's credential information.
在一些实施例中,会话引擎142可以与授权引擎144关于认证的范围进行通信。授权引擎210可以确定受保护的资源并且基于认证会话150可以确定对于会话被允许和/或限制的资源。In some embodiments, session engine 142 may communicate with authorization engine 144 regarding the scope of authentication. Authorization engine 210 may determine protected resources and based on authentication session 150 may determine resources allowed and/or restricted for the session.
在一些实施例中,可以在系统100中根据用于在客户端设备104和为访问管理系统140实现的访问管理器服务器中的任何一个之间的通信的代理-服务器模型来实现访问管理系统140。代理-服务器模型可以包括代理部件(例如,网关系统)和服务器部件。代理部件可以被部署在主机系统上,并且服务器部件可以被部署在服务器上,例如,访问管理器服务器。操作客户端设备104的用户102可以使用企业计算机网络经由代理106与访问管理系统140通信。客户端设备104可以是工作站、个人计算机(PC)、膝上型计算机、智能电话、可穿戴计算机或其它联网的电子设备。In some embodiments, access management system 140 may be implemented in system 100 according to a proxy-server model for communication between client device 104 and any of the access manager servers implemented for access management system 140 . A proxy-server model may include a proxy component (eg, a gateway system) and a server component. Agent components can be deployed on a host system, and server components can be deployed on a server, eg, an access manager server. Users 102 operating client devices 104 may communicate with access management system 140 via proxy 106 using an enterprise computer network. Client device 104 may be a workstation, personal computer (PC), laptop, smartphone, wearable computer, or other networked electronic device.
代理106可以提供访问控制,并且可以操作来保护访问管理系统140和通过访问管理系统140可访问的任何资源免受外部和内部的基于web的威胁。访问管理系统140可以与提供对一个或多个资源(例如,应用120)的访问的一个或多个资源计算系统(例如,资源服务器)通信。代理106可以实现或操作为代理部件访问管理系统140,并且可以包括作为服务器部件操作的服务器。通过访问管理系统140可访问的每个资源可以通过代理(例如,代理106)来保护。代理106可以截取对由其保护的一个或多个资源的用户请求并检查用户凭证以便认证用户。代理然后可以联系服务器,例如访问管理系统140处的访问管理器服务器。访问管理服务器可以检验资源是否是需要凭证来访问的受保护资源。如果访问管理服务器确定资源是未受保护的,则代理106可以向用户102授权访问。如果资源是受保护的,则代理106可以请求用户102提供认证凭证。Proxy 106 may provide access control and may operate to protect access management system 140 and any resources accessible through access management system 140 from external and internal web-based threats. Access management system 140 may communicate with one or more resource computing systems (eg, resource servers) that provide access to one or more resources (eg, applications 120 ). Proxy 106 may implement or operate as a proxy component access management system 140 and may include a server operating as a server component. Each resource accessible through access management system 140 may be secured by a proxy (eg, proxy 106). Proxy 106 may intercept user requests for one or more resources protected by it and check user credentials to authenticate the user. The agent may then contact a server, such as an access manager server at access management system 140 . The access management server can verify whether the resource is a protected resource that requires credentials to access. If the access management server determines that the resource is unprotected, the agent 106 can grant access to the user 102 . If the resource is protected, proxy 106 may request user 102 to provide authentication credentials.
在一些实施例中,代理106和访问管理系统140之间的通信可以被分成两个不同的通信信道。例如,经由前端信道的通信可以使用超文本传输协议安全(HTTPS)协议。前端信道通信可以包括较不频繁的通信,诸如用于认证的凭证收集操作的通信。经由后端信道的通信可以使用开放式访问协议(OAP)。后端信道通信可以包括更频繁的通信,诸如包括访问由访问管理系统140管理的资源的请求的代理-服务器交互。每个信道可以使用针对该信道上的通信类型设计的访问令牌进行通信。访问流程可以生成两种类型的浏览器令牌。第一令牌是访问管理ID令牌(例如,OAM_ID令牌),其服务于通过HTTP传播的SSO请求。第二令牌是可以用于服务通过OAP传播的SSO请求的授权令牌(例如,OAMAuthn令牌)。浏览器令牌可以作为主机cookie存储在客户端设备104处。In some embodiments, communication between agent 106 and access management system 140 may be split into two distinct communication channels. For example, communications via the front channel may use the Hypertext Transfer Protocol Secure (HTTPS) protocol. Front-channel communications may include less frequent communications, such as communications for credential collection operations for authentication. Communication via the back channel may use the Open Access Protocol (OAP). Back-channel communications may include more frequent communications, such as proxy-server interactions involving requests to access resources managed by access management system 140 . Each channel can communicate using an access token designed for the type of communication on that channel. Access flows can generate two types of browser tokens. The first token is an access management ID token (eg, OAM_ID token), which serves SSO requests propagated over HTTP. The second token is an authorization token (eg, an OAMAuthn token) that can be used to service SSO requests propagated through OAP. The browser token may be stored at the client device 104 as a host cookie.
访问管理系统140(例如,使用代理106)可以以询问的形式(例如,经由客户端设备104处的用户的web浏览器)向用户102呈现对于认证凭证的请求。在一些实施例中,用户102可以通过在客户端设备104上执行的客户端或者通过客户端设备104上的web浏览器来访问SSO用户界面。SSO用户界面可以在访问管理系统140处实现。访问管理系统140可以与请求108一起发送SSO用户界面或使得能够访问SSO用户界面的信息(例如,URL)。Access management system 140 (eg, using proxy 106 ) may present a request for authentication credentials to user 102 in the form of a query (eg, via the user's web browser at client device 104 ). In some embodiments, user 102 may access the SSO user interface through a client executing on client device 104 or through a web browser on client device 104 . An SSO user interface may be implemented at access management system 140 . Access management system 140 may send the SSO user interface or information enabling access to the SSO user interface (eg, a URL) with request 108 .
在一些实施例中,SSO用户界面可以包括用户102通常使用的应用的列表。用户102可以通过SSO用户界面管理他们的与应用相关联的凭证和策略。当用户102通过SSO用户界面请求访问应用(例如,应用140)时,可以从客户端设备104向访问管理系统140发送请求,以根据适用于用户102的一个或多个策略160中确定应用的策略类型。访问管理系统140可以确定是否存在用于用户的有效会话,并且如果存在,那么它可以基于策略类型确定用户102的凭证信息。In some embodiments, the SSO user interface may include a list of applications that user 102 typically uses. Users 102 can manage their credentials and policies associated with the application through the SSO user interface. When a user 102 requests access to an application (e.g., application 140) through the SSO user interface, a request may be sent from the client device 104 to the access management system 140 to determine the application's policies in accordance with one or more policies 160 applicable to the user 102 type. Access management system 140 may determine whether there is a valid session for the user, and if so, it may determine credential information for user 102 based on the policy type.
在一些实施例中,请求可以包括来自先前登录的认证cookie,其可以用于确定用户102是否被授权检索凭证。如果被授权,那么用户可以使用凭证登录到应用中。在一些实施例中,代理106可以使得用户能够使用由访问管理系统提供的SSO服务来访问应用120。访问可以通过web浏览器直接提供,而无需首先访问SSO用户界面或使用在客户端设备104上执行的客户端。如果用户102未被授权,那么访问管理系统可以从用户102请求108凭证。SSO用户界面可以呈现接收包括凭证信息的输入的界面。凭证信息可以被发送110到访问管理系统140,以确定用户102的认证。In some embodiments, the request may include an authentication cookie from a previous login, which may be used to determine whether user 102 is authorized to retrieve credentials. If authorized, the user can use the credentials to log into the application. In some embodiments, proxy 106 may enable users to access applications 120 using SSO services provided by the access management system. Access can be provided directly through a web browser without first accessing the SSO user interface or using a client executing on the client device 104 . If the user 102 is not authorized, the access management system can request 108 credentials from the user 102 . The SSO user interface may present an interface that receives input including credential information. The credential information may be sent 110 to access management system 140 to determine authentication of user 102 .
在一些实施例中,可以支持凭证类型,诸如Oracle访问管理受保护资源、联合应用/资源和表格填写应用。凭证类型的示例可以包括智能卡/感应卡(Proximity card)、令牌、公钥基础设施(PKI)、Windows登录、轻量级目录访问协议(LDAP)登录、生物特征输入等。对于受OAM保护的资源,用户请求可以被认证,并且然后被引导到与所请求的资源相关联的URL。对于联合应用,可以提供到联合合作伙伴和资源(包括企业对企业(B2B)合作伙伴应用和SaaS应用)的链接。对于表单填写应用,可以使用模板来识别通过其可以提交凭证的应用网页的字段。In some embodiments, credential types such as Oracle Access Management protected resources, federated applications/resources, and form filling applications may be supported. Examples of credential types may include smart/proximity cards, tokens, public key infrastructure (PKI), Windows login, Lightweight Directory Access Protocol (LDAP) login, biometric entry, and the like. For resources protected by OAM, user requests can be authenticated and then directed to a URL associated with the requested resource. For federated applications, links to federated partners and resources, including business-to-business (B2B) partner applications and SaaS applications, can be provided. For form-filling apps, templates can be used to identify the fields of the app's web pages through which credentials can be submitted.
在一些实施例中,接收用于提供认证凭证的输入的SSO用户界面可以包括一个或多个交互元素以启动系统验证。界面的示例可以包括参考图6-9描述的那些界面。In some embodiments, an SSO user interface that receives input for providing authentication credentials may include one or more interactive elements to initiate system authentication. Examples of interfaces may include those interfaces described with reference to FIGS. 6-9.
现在转到图2,图示了系统200,其中用户102可以启动处理来验证访问管理系统140的真实性。图2中示出的示例可以包括图1的元素。在系统200所示的示例中,验证访问管理系统140的真实性可以通过访问管理系统140和启动访问管理系统140的验证的客户端设备104之间的一个或多个通信,以及通过访问管理系统140和一个或多个目的地(诸如客户端设备210)之间的一个或多个通信来促进。目的地可能不与客户端设备104物理上位于一处。目的地可以对应于诸如电子邮件地址或电话号码之类的位置,数据可以从该位置处传送和/或接收。操作客户端设备104的用户可以访问目的地,使得用户可以促进访问管理系统140的验证。目的地可以使得用户能够从访问管理系统140接收信息和/或将信息发送到访问管理系统140。Turning now to FIG. 2 , a system 200 is illustrated in which a user 102 can initiate a process to verify the authenticity of the access management system 140 . The example shown in FIG. 2 may include elements of FIG. 1 . In the example shown by system 200, verification of the authenticity of access management system 140 may be through one or more communications between access management system 140 and client device 104 that initiates verification of access management system 140, as well as through access management system 140 and one or more destinations (such as client device 210) to facilitate one or more communications. The destination may not be physically co-located with the client device 104 . A destination may correspond to a location, such as an email address or a phone number, from which data may be transmitted and/or received. A user operating client device 104 may access the destination such that the user may facilitate authentication of access management system 140 . A destination may enable a user to receive information from and/or send information to access management system 140 .
与目的地的通信可以被认为是带外的,使得通信是与不位于客户端设备104处的设备和/或是使用不同于与客户端设备104通信的通信机制。与目的地的通信可以使得能够安全传送用于验证访问管理系统140的信息,以便防止未授权用户获得对用于访问管理系统140的验证的信息的访问。在至少一个实施例中,访问管理系统140的验证可以包括向一个或多个目的地(例如,客户端设备210)发送一个或多个通信202(“系统验证通信”)的访问管理系统140。访问管理系统140的验证可以包括向访问管理系统140发送一个或多个通信204(“用户验证通信”)的目的地。Communication with the destination may be considered out-of-band, such that the communication is with a device that is not located at the client device 104 and/or uses a different communication mechanism than communicating with the client device 104 . Communication with the destination may enable secure transfer of information used to authenticate access management system 140 so as to prevent unauthorized users from gaining access to authenticated information used to access management system 140 . In at least one embodiment, verification by access management system 140 may include access management system 140 sending one or more communications 202 ("system verification communications") to one or more destinations (eg, client devices 210). Authentication by access management system 140 may include sending the destination of one or more communications 204 (“user authentication communications”) to access management system 140 .
在至少一个示例中,访问管理系统140可以向客户端设备210发送一个或多个系统验证通信202以提供诸如临时访问信息和/或个人信息的信息作为访问管理系统140的验证的一部分。操作客户端设备104的用户可以访问目的地以向访问管理系统发送用户验证通信204来确认信息的接收。用户可以访问目的地以从访问管理系统140获得信息,并利用从目的地获得的信息从客户端设备104响应访问管理系统140。以这种方式,信息可以在访问管理系统140和用户之间以安全的方式通信,以减少(如果不是防止的话)未授权用户获取用于访问管理系统140的验证的信息。客户端设备104和目的地的使用进一步确保了用于验证的信息被接收和/或检验。在一些实施例中,诸如客户端设备210的目的地处的应用208可以提供界面来促进用于访问管理系统140的验证的信息的通信。In at least one example, access management system 140 may send one or more system verification communications 202 to client device 210 to provide information such as temporary access information and/or personal information as part of verification by access management system 140 . A user operating client device 104 may access the destination to send a user verification communication 204 to the access management system to confirm receipt of the information. A user may visit a destination to obtain information from access management system 140 and respond to access management system 140 from client device 104 with the information obtained from the destination. In this manner, information may be communicated between access management system 140 and users in a secure manner to reduce, if not prevent, unauthorized users from obtaining information used for authentication of access management system 140 . The use of a client device 104 and a destination further ensures that information for authentication is received and/or verified. In some embodiments, an application 208 at a destination such as client device 210 may provide an interface to facilitate communication of authenticated information for access management system 140 .
在一些实施例中,访问管理系统140可以支持注册处理,通过该注册处理,操作客户端设备104的用户可以注册用于访问管理系统140的验证的一个或多个目的地。注册可以包括存储关于目的地的信息。每个注册的目的地可以与注册目的地的用户的用户标识信息一起存储。访问管理系统140可以基于由用户提供的用户标识信息来识别目的地。用户可以为目的地指定一个或多个标准(例如,时间),使得访问管理系统140可以根据标准与目的地通信。现在转到图3和图4,其中图示了访问管理系统140的验证的示例。In some embodiments, access management system 140 may support a registration process by which a user operating client device 104 may register one or more destinations for verification by access management system 140 . Registration may include storing information about the destination. Each registered destination may be stored together with user identification information of the user who registered the destination. Access management system 140 may identify the destination based on user identification information provided by the user. A user may specify one or more criteria (eg, time) for a destination so that access management system 140 may communicate with the destination according to the criteria. Turning now to FIGS. 3 and 4 , examples of authentication of access management system 140 are illustrated.
在一些实施例中,诸如参考图3-9描述的那些实施例可以被描述为被描绘为被绘出为流程图、流图、数据流图、结构图、序列图或框图的处理。虽然序列图或流程图可以将操作描述为顺序处理,但是许多操作可以并行或并发地执行。此外,操作的次序可以被重新安排。处理在其操作完成时终止,但是可以具有图中不包括的附加步骤。处理可以与方法、函数、过程、子例程、子程序等对应。当处理与函数对应时,其终止可以与函数返回到调用函数或主函数对应。In some embodiments, embodiments such as those described with reference to FIGS. 3-9 may be described as processes depicted as flowcharts, flow diagrams, dataflow diagrams, structure diagrams, sequence diagrams, or block diagrams. Although a sequence diagram or flowchart may describe operations as sequential processing, many operations may be performed in parallel or concurrently. Additionally, the order of operations can be rearranged. A process terminates when its operations are complete, but may have additional steps not included in the figure. A process may correspond to a method, function, procedure, subroutine, subroutine, or the like. When processing corresponds to a function, its termination may correspond to the return of the function to the calling function or the main function.
本文描述的处理(诸如参考图3-9描述的处理)可以用由一个或多个处理单元(例如,处理器核心)执行的软件(例如,代码、指令、程序)、硬件或其组合来实现。软件可以存储在存储器中(例如,在存储器设备上、在非瞬态计算机可读存储介质上)。在一些实施例中,在本文的流程图中绘出的处理可以由访问管理系统(例如,图1和图2的访问管理系统140)的计算系统来实现。本公开中的处理步骤的特定系列并不旨在进行限制。步骤的其它序列也可以根据替代实施例执行。例如,本发明的替代实施例可以以不同的次序执行上面概述的步骤。而且,图中所示的各个步骤可以包括多个子步骤,这些子步骤可以以对个体步骤适当的各种序列执行。虽然图3-9中绘出的处理可以关于访问单个资源来描述,但是可以针对多个资源来执行这样的处理,使得每当访问资源和/或需要确定用户对资源的访问的认证时,可以请求访问管理系统的计算系统的验证。图3-9中绘出的处理可以关于多个会话进行描述,可以针对每个会话请求访问管理系统的计算系统的验证。此外,取决于特定的应用,可以添加或去除附加的步骤。本领域普通技术人员将认识到许多变化、修改和替代。The processes described herein, such as the processes described with reference to FIGS. . The software may be stored in memory (eg, on a memory device, on a non-transitory computer readable storage medium). In some embodiments, the processes depicted in the flowcharts herein may be implemented by a computing system of an access management system (eg, access management system 140 of FIGS. 1 and 2 ). The particular series of processing steps in this disclosure is not intended to be limiting. Other sequences of steps may also be performed according to alternative embodiments. For example, alternative embodiments of the invention may perform the steps outlined above in a different order. Furthermore, the various steps shown in the figures may comprise sub-steps which may be performed in various sequences as appropriate for the individual steps. Although the processing depicted in FIGS. 3-9 may be described in relation to accessing a single resource, such processing may be performed for multiple resources such that whenever a resource is accessed and/or authentication of a user's access to a resource needs to be determined, the Authentication of computing systems requesting access to the management system. The processes depicted in FIGS. 3-9 may be described with respect to multiple sessions, for each session authentication of the computing system of the access management system may be requested. Furthermore, depending on the particular application, additional steps may be added or removed. Those of ordinary skill in the art will recognize many variations, modifications, and substitutions.
在一些实施例的一个方面,图3-9中的每个处理可以由一个或多个处理单元来执行。处理单元可以包括一个或多个处理器(包括单核或多核处理器)、处理器的一个或多个核,或其组合。在一些实施例中,处理单元可以包括一个或多个专用协处理器,诸如图形处理器、数字信号处理器(DSP),等等。在一些实施例中,处理单元中的一些或全部可以使用定制电路(诸如专用集成电路(ASIC)或现场可编程门阵列(FPGA))来实现。In an aspect of some embodiments, each of the processes in FIGS. 3-9 may be performed by one or more processing units. A processing unit may include one or more processors (including single-core or multi-core processors), one or more cores of a processor, or a combination thereof. In some embodiments, a processing unit may include one or more special purpose coprocessors, such as graphics processors, digital signal processors (DSPs), and the like. In some embodiments, some or all of the processing units may be implemented using custom circuits such as application specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs).
图3-4图示了根据实施例的示出用于使得用户能够验证访问管理系统(例如,访问管理系统140)的真实性的操作的序列图。图3示出了用于使得用户能够从用户操作以访问一个或多个资源的客户端设备验证访问管理系统的真实性的序列图300。3-4 illustrate sequence diagrams showing operations for enabling a user to verify the authenticity of an access management system (eg, access management system 140 ), according to an embodiment. FIG. 3 shows a sequence diagram 300 for enabling a user to verify the authenticity of an access management system from a client device operated by the user to access one or more resources.
在步骤312处开始,用户操作客户端设备302以请求访问由访问管理系统管理访问的资源(“请求的资源”)。访问管理系统的会话引擎306可以被配置为管理对资源的访问。会话引擎306可以处理客户端设备302的认证以建立会话。会话引擎306可以在访问管理系统的服务器(例如,认证服务器)上实现。例如,会话引擎306可以包括或实现图1的会话引擎142。Beginning at step 312, a user operates a client device 302 to request access to a resource ("requested resource") to which access is managed by the access management system. The session engine 306 of the access management system may be configured to manage access to resources. Session engine 306 can handle authentication of client device 302 to establish a session. Session engine 306 may be implemented on a server (eg, an authentication server) of the access management system. For example, conversation engine 306 may include or implement conversation engine 142 of FIG. 1 .
如上所述,资源可以是应用或使用应用可访问的资源。在图3的示例中,可以操作客户端设备302以通过应用304请求对资源的访问。在步骤314处,应用304可以请求访问由客户端设备302请求的资源。应用304可以是通过与访问管理系统通信来管理访问的访问管理应用。用户可以经由应用304向访问管理系统提供访问凭证用于用户的认证。会话引擎306可以在成功认证用户之后建立会话(例如,SSO会话)。会话可以使得用户能够从客户端设备302访问一个或多个资源。As noted above, a resource may be an application or a resource accessible using an application. In the example of FIG. 3 , client device 302 may be operated to request access to a resource through application 304 . At step 314 , application 304 may request access to a resource requested by client device 302 . Application 304 may be an access management application that manages access by communicating with an access management system. The user may provide access credentials to the access management system via the application 304 for authentication of the user. Session engine 306 can establish a session (eg, an SSO session) after successfully authenticating a user. A session may enable a user to access one or more resources from client device 302 .
在一些实施例中,访问资源的请求可以由诸如web网关之类的代理来处理。代理可以保护对服务器提供的资源的访问。客户端设备302可以通过直接或间接经由代理与会话引擎306通信来与访问管理系统140通信。代理可以截取对由其保护的一个或多个资源的用户请求以确定对所请求的资源的访问。代理可以检查用户凭证以便为访问由访问管理系统控制的那些资源的会话认证用户。代理可以确定资源是否受保护,如果是,那么确定是否存在活动会话以使得能够经由应用304从客户端设备302访问资源。In some embodiments, requests to access resources may be handled by a proxy, such as a web gateway. A proxy protects access to resources provided by a server. Client device 302 may communicate with access management system 140 by communicating directly or indirectly with session engine 306 via a proxy. A proxy may intercept user requests for one or more resources it protects to determine access to the requested resources. The proxy can check user credentials to authenticate the user for a session accessing those resources controlled by the access management system. The proxy can determine whether the resource is protected, and if so, whether there is an active session to enable access to the resource from the client device 302 via the application 304 .
会话引擎306可以处理客户端设备302的认证以建立会话。在接收到访问资源的请求时,在步骤320处,会话引擎306可以确定是否需要有效会话来访问资源。例如,会话引擎306可以确定对资源的访问是否受到保护。对资源的访问可以基于用户的认证。会话引擎306可以确定有效会话对于用户是否是活动的。有效会话的存在可以指示用户已被认证。会话引擎306可以确定活动会话是否使得能够访问资源,诸如所请求的资源。在一些实施例中,认证可以特定于某些资源。在一些实施例中,会话引擎306可以基于对适用于用户的一个或多个访问策略的考虑来评估用户的会话的有效性。Session engine 306 can handle authentication of client device 302 to establish a session. Upon receiving a request to access a resource, at step 320, session engine 306 can determine whether a valid session is required to access the resource. For example, session engine 306 can determine whether access to a resource is protected. Access to resources can be based on user authentication. Session engine 306 can determine whether a valid session is active for the user. The existence of a valid session may indicate that the user is authenticated. Session engine 306 can determine whether an active session enables access to a resource, such as a requested resource. In some embodiments, authentication may be specific to certain resources. In some embodiments, session engine 306 may evaluate the validity of a user's session based on consideration of one or more access policies applicable to the user.
在步骤322处,会话引擎306可以确定用户未被认证访问所请求的资源。会话引擎306可以通过确定不存在用于用户的有效会话来确定用户未被认证。在步骤330处,在确定用户未被认证访问资源之后,会话引擎306可以向客户端设备302发送对用户凭证信息的请求(“对用户凭证的请求”)。客户端设备302接收对凭证信息的请求。在一些实施例中,可以经由应用304接收来自步骤330的请求。At step 322, session engine 306 may determine that the user is not authenticated to access the requested resource. Session engine 306 may determine that the user is not authenticated by determining that there is no valid session for the user. At step 330 , after determining that the user is not authenticated to access the resource, session engine 306 may send a request to client device 302 for user credential information (“Request for User Credentials”). Client device 302 receives a request for credential information. In some embodiments, the request from step 330 may be received via application 304 .
响应于对用户凭证的请求,客户端设备302可以提供使得客户端设备能够接收凭证信息的界面。界面可以在应用中提供,例如应用304中。界面的示例在下面参考图6进行描述。界面可以包括一个或多个交互元素以使得用户能够请求正在请求用户的凭证的系统(例如,包括会话引擎306的访问管理系统)的验证。为了请求系统的验证,界面可以使得用户能够输入识别与请求相关联的用户的用户凭证(例如,用户标识信息)。如下面进一步描述的,会话引擎306可以使用用户标识信息来确定与系统的验证相关的通信的目的地。在步骤332处,客户端设备302可以接收对系统验证的请求。客户端设备302可以接收用户标识信息。在步骤340处,客户端设备302可以将对系统验证的请求发送到会话引擎306。该请求可以与用户标识信息一起发送。In response to a request for user credentials, client device 302 may provide an interface that enables the client device to receive credential information. An interface may be provided in an application, such as application 304 . An example of an interface is described below with reference to FIG. 6 . The interface may include one or more interactive elements to enable a user to request authentication of a system (eg, an access management system including session engine 306 ) that is requesting the user's credentials. To request authentication of the system, the interface may enable the user to enter user credentials (eg, user identification information) identifying the user associated with the request. As described further below, conversation engine 306 may use user identification information to determine the destination of communications related to authentication of the system. At step 332, client device 302 may receive a request for system authentication. Client device 302 may receive user identification information. At step 340 , client device 302 may send a request for system authentication to session engine 306 . The request may be sent with user identification information.
在步骤350处,会话引擎306可以确定请求系统验证的用户是否可以请求系统验证。会话引擎306可以开始系统验证处理以通过访问检验用户标识信息来验证访问管理系统。会话引擎306可以通过确定用户标识信息是否有效(例如,存在),并且如果是,则确定它是否与用户相关联来检验用户标识信息。会话引擎306可以访问身份管理系统来检验用户标识信息。At step 350, the session engine 306 can determine whether the user requesting system verification can request system verification. The session engine 306 may initiate a system authentication process to authenticate access to the management system by accessing the verification user identification information. The conversation engine 306 can verify the user identification information by determining whether the user identification information is valid (eg, exists), and if so, whether it is associated with the user. Session engine 306 may access an identity management system to verify user identification information.
在会话引擎306检验用户标识信息(即,确定用户标识信息是有效的并且用户标识信息与用户相关联)之后,会话引擎306可以从身份管理系统接收与用户标识信息相关联的通信首选项。通信首选项可以指示被指定为接收用于系统验证的临时访问信息的一个或多个目的地。会话引擎306可以与(一个或多个)目的地通信以提供临时访问信息。After session engine 306 verifies the user identification information (ie, determines that the user identification information is valid and associated with the user), session engine 306 may receive communication preferences associated with the user identification information from the identity management system. The communication preferences may indicate one or more destinations designated to receive temporary access information for system verification. Conversational engine 306 can communicate with the destination(s) to provide temporary access information.
在步骤350处,会话引擎306可以为请求访问管理系统的系统验证的用户确定临时访问信息(例如,一次性密码)。临时访问信息可以用作系统验证处理的一部分。临时访问信息可以由访问管理系统生成和/或可以从第三方系统获得。在一些实施例中,临时访问信息可以在系统验证的请求之前生成。临时访问信息可以与将临时访问信息的使用限制在限制的时间段内的一个或多个约束相关联。At step 350, session engine 306 may determine temporary access information (eg, a one-time password) for a user requesting system authentication to access the management system. Temporary access information may be used as part of the system authentication process. Temporary access information may be generated by the access management system and/or may be obtained from third-party systems. In some embodiments, temporary access information may be generated prior to the request for system authentication. The temporary access information may be associated with one or more constraints that limit the use of the temporary access information to a limited period of time.
在步骤352处,会话引擎306可以将临时访问信息发送给请求系统验证的用户。临时访问信息可以在基于用户的通信首选项识别出的一个或多个目的地处被发送给用户。如上所述,可以使用用户标识信息来检索通信首选项。在一些实施例中,目的地可以包括请求系统验证的客户端设备(例如,客户端设备302)。默认情况下(例如,当用户没有提供通信首选项时),临时访问信息可以被发送到请求系统验证的客户端设备(例如,302)。临时访问信息可以使用一个或多个通信系统(例如,消息传送服务)传送给客户端设备。At step 352, session engine 306 may send temporary access information to the user requesting system authentication. Temporary access information may be sent to the user at one or more destinations identified based on the user's communication preferences. As noted above, communication preferences may be retrieved using user identification information. In some embodiments, the destination may include a client device (eg, client device 302 ) requesting system authentication. By default (eg, when no communication preferences are provided by the user), temporary access information may be sent to the client device requesting system authentication (eg, 302 ). Temporary access information may be communicated to the client device using one or more communication systems (eg, messaging services).
在步骤360处,请求系统验证的用户可以操作客户端设备302。用户可以操作客户端设备302以获得临时访问信息。客户端设备302可以提供具有接收临时访问信息的一个或多个交互元素的界面。用户可以操作客户端设备302以在界面中提供临时访问信息。客户端设备302接收提供到界面中的临时访问信息。在步骤362处,客户端设备302可以将临时访问信息发送到访问管理系统(例如,会话引擎306)以继续系统验证的处理。At step 360 , the user requesting system authentication may operate client device 302 . A user may operate client device 302 to obtain temporary access information. Client device 302 may provide an interface with one or more interactive elements for receiving temporary access information. A user may operate client device 302 to provide temporary access information in the interface. Client device 302 receives the temporary access information provided into the interface. At step 362, client device 302 may send the temporary access information to an access management system (eg, session engine 306) to continue the process of system verification.
在步骤370处,会话引擎306可以检验临时访问信息。检验临时访问信息可以包括确定是否满足临时访问信息的约束。例如,在临时访问信息与时间限制相关联的情况下,会话引擎306可以基于时间限制来确定临时访问信息是否已经到期。当约束不满足时(即,当临时访问信息已经到期时),临时访问信息不能被接受用于系统验证。在步骤352处,检验临时访问信息可以包括确定临时访问信息是否与发送给客户端设备302的临时访问信息匹配。临时访问信息可以与请求系统验证的用户的用户标识信息相关联地存储。At step 370, session engine 306 may check for temporary access information. Verifying the temporary access information may include determining whether the constraints of the temporary access information are met. For example, where the temporary access information is associated with a time limit, session engine 306 can determine whether the temporary access information has expired based on the time limit. When the constraints are not satisfied (ie, when the temporary access information has expired), the temporary access information cannot be accepted for system authentication. At step 352 , verifying the temporary access information may include determining whether the temporary access information matches the temporary access information sent to the client device 302 . The temporary access information may be stored in association with the user identification information of the user requesting system authentication.
还有,在步骤370处,会话引擎306可以确定个人信息作为系统验证的一部分。个人信息可以在检验临时访问信息时确定。个人信息可以由会话引擎306生成。在一些实施例中,可以获得不是正在被验证的访问管理系统的一部分的第三方来源(例如,财务系统)的个人信息。个人信息可以包括与用户相关联的最近信息,该最近信息不能以其它方式被不是用户标识信息的持有者的用户(例如,未授权用户)访问。最近信息可以包括例如从当前财务记录(例如,银行记录)获得的财务信息。为了确保个人信息基于当前记录,会话引擎306可以在检验临时访问信息时确定个人信息。Also, at step 370, session engine 306 may determine personal information as part of system authentication. Personal information may be identified upon verification of temporary access information. Personal information can be generated by conversation engine 306 . In some embodiments, personal information may be obtained from third-party sources (eg, financial systems) that are not part of the access management system being authenticated. Personal information may include recent information associated with a user that is not otherwise accessible to users who are not holders of user identification information (eg, unauthorized users). Recent information may include, for example, financial information obtained from current financial records (eg, bank records). To ensure that personal information is based on current records, session engine 306 may determine personal information when checking temporary access information.
在步骤372处,会话引擎306可以将个人信息发送到与请求系统验证的用户相关联的客户端设备。客户端设备可以是请求系统验证的设备。通过将个人信息发送到已知与用户相关联的客户端设备,确保会话引擎306个人信息不会被发送给未授权访问个人信息的用户。可以确保操作客户端设备302的用户个人信息来自被验证为授权访问管理系统的可信来源。在步骤380处,与请求系统验证的用户相关联的客户端设备可以显示个人信息以供用户检验。例如,个人信息可以在界面中显示。假设请求系统验证的客户端设备可能是接收个人信息的客户端设备。由于个人信息是作为系统验证的一部分由访问管理系统发送的,因此个人信息相对于请求系统验证的用户可能是准确的和当前的。个人信息可以基于在用户请求的系统验证之后关于用户的个人信息的最近查询来确定。At step 372, the conversation engine 306 can send the personal information to the client device associated with the user requesting system authentication. A client device may be a device requesting system authentication. By sending the personal information to client devices known to be associated with the user, it is ensured that the conversation engine 306 personal information is not sent to users who are not authorized to access the personal information. It can be ensured that the personal information of the user operating the client device 302 is from a trusted source verified as authorized to access the management system. At step 380, the client device associated with the user requesting system authentication may display the personal information for verification by the user. For example, personal information may be displayed in the interface. It is assumed that the client device requesting system authentication may be the client device receiving personal information. Because personal information is sent by the access management system as part of system verification, personal information may be accurate and current relative to the user requesting system verification. The personal information may be determined based on recent inquiries regarding the user's personal information following system verification of the user's request.
在步骤380处,客户端设备302可以向用户呈现使得用户能够提供输入以检验个人信息正确的界面。在检验个人信息正确之后,客户端设备302可以向用户呈现界面以接收与用户的用户标识信息对应的凭证信息。在检验个人信息准确之后,通过用户提交凭证信息可以完成系统验证处理。客户端设备302可以将凭证信息382发送到会话引擎306用于检验。At step 380, the client device 302 may present the user with an interface that enables the user to provide input to verify that the personal information is correct. After verifying that the personal information is correct, the client device 302 may present an interface to the user to receive credential information corresponding to the user's user identification information. After verifying that the personal information is accurate, the system verification process can be completed by the user submitting credential information. Client device 302 may send credential information 382 to session engine 306 for verification.
在步骤390处,会话引擎306可以检验用户的凭证信息。检验凭证信息可以包括确定凭证信息是否匹配先前建立的与用户的用户标识信息相关联的凭证信息。在步骤312处访问所请求的资源可以基于检验凭证信息正确而被授权。在步骤392处,会话引擎306可以授权对所请求的资源的访问。可以通过存储指示访问被授权的信息来授权访问。会话引擎306可以向客户端302发送指示关于被授权的访问的信息的数据。在一些实施例中,关于被授权的访问的数据可以被发送到应用304。在步骤394处,应用304可以基于从会话引擎306接收到的指示访问已被授权的数据来使得能够访问资源(例如,应用304)。At step 390, session engine 306 may verify the user's credential information. Verifying the credential information may include determining whether the credential information matches previously established credential information associated with user identification information of the user. Access to the requested resource at step 312 may be authorized based on verifying that the credential information is correct. At step 392, session engine 306 can authorize access to the requested resource. Access may be authorized by storing information indicating that access is authorized. Session engine 306 may send data to client 302 indicating information about authorized access. In some embodiments, data regarding authorized access may be sent to application 304 . At step 394 , application 304 may enable access to a resource (eg, application 304 ) based on data received from session engine 306 indicating that access has been authorized.
现在转到图4,示出了用于使得用户能够使用多个客户端设备验证访问管理系统的真实性的序列图400。具体而言,序列图400示出了访问管理系统的系统验证可以使用带外通信信道来促进。例如,参考图3描述的系统验证可以通过添加与物理上与客户端设备302分离的目的地410(“带外目的地”)的带外通信来增强。例如,目的地410可以是处于操作客户端设备302的用户的控制中并且与客户端设备302不同的客户端设备。目的地410可以是移动通信设备并且客户端设备302可以是台式计算机。带外通信可以通过防止或使未授权用户(例如,黑客或身份窃贼)更难以获得诸如个人信息和临时访问信息之类的敏感信息来提高系统验证处理的安全性。Turning now to FIG. 4 , there is shown a sequence diagram 400 for enabling a user to verify authenticity of an access management system using multiple client devices. Specifically, sequence diagram 400 shows that system authentication of access management systems can be facilitated using an out-of-band communication channel. For example, the system authentication described with reference to FIG. 3 may be enhanced by adding out-of-band communication with a destination 410 (“out-of-band destination”) that is physically separate from the client device 302 . For example, destination 410 may be a different client device than client device 302 that is under the control of a user operating client device 302 . Destination 410 may be a mobile communication device and client device 302 may be a desktop computer. Out-of-band communication can improve the security of the system authentication process by preventing or making it more difficult for unauthorized users (eg, hackers or identity thieves) to obtain sensitive information, such as personal information and temporary access information.
基于图3所示的示例,图4中的示例图示了与带外目的地的通信作为系统验证的一部分。带外目的地对于使得用户能够接收和/或发送重要通信作为系统验证的一部分而不会破坏通信中发送的信息是有用的。由于黑客可能不知道目的地,因此可以通过与目的地的通信来提高安全性。由此,黑客可能无法访问或拦截诸如个人信息和临时访问信息之类的信息。Building on the example shown in Figure 3, the example in Figure 4 illustrates communication with out-of-band destinations as part of system authentication. Out-of-band destinations are useful for enabling users to receive and/or send important communications as part of system authentication without corrupting the information sent in the communications. Since the destination may not be known to the hacker, security can be increased by communicating with the destination. As a result, hackers may not be able to access or intercept information such as personal information and temporary access information.
操作客户端设备302的用户可以在任何处理(诸如图3中和图4中绘出的系统验证)发生之前向访问管理系统注册。用户可以通过提供关于用户的信息来注册,包括关于用于系统验证的一个或多个目的地的信息。关于目的地的信息可以包括关于由用户控制的一个或多个客户端设备的设备信息和或关于其它类型的目的地的任何信息(例如,电子邮件账户信息)。关于用户的信息可以与用户标识信息和凭证信息相关联地存储。在一些实施例中,用户可以向访问管理系统可访问的身份管理系统注册信息。注册可以包括用户提供关于目的地的信息。访问管理系统可以经由启动系统验证的客户端设备和/或带外目的地中的一个或多个与用户通信以进行系统验证。A user operating client device 302 may register with the access management system before any processing takes place, such as the system authentication depicted in FIG. 3 and FIG. 4 . A user may register by providing information about the user, including information about one or more destinations for system authentication. Information about destinations may include device information about one or more client devices controlled by a user and or any information about other types of destinations (eg, email account information). Information about the user may be stored in association with user identification information and credential information. In some embodiments, a user may register information with an identity management system accessible to the access management system. Registration may include the user providing information about the destination. The access management system may communicate with the user for system authentication via one or more of the client device that initiated the system authentication and/or the out-of-band destination.
图4中示出的示例可以包括与图3类似的元素。操作客户端设备302的用户可以请求访问由包括会话引擎306的访问管理系统控制的资源。作为获得对所请求的资源的访问的一部分,用户可以启动访问管理系统的系统验证。在启动系统验证之后,会话引擎306可以经由带外目的地410与用户通信以进行系统验证处理的一个或多个步骤。The example shown in FIG. 4 may include similar elements to those in FIG. 3 . A user operating client device 302 may request access to resources controlled by an access management system including session engine 306 . As part of gaining access to the requested resource, the user may initiate system authentication of the access management system. After system authentication is initiated, session engine 306 may communicate with the user via out-of-band destination 410 for one or more steps of the system authentication process.
在一些实施例中,在步骤350处确定临时访问信息之后,会话引擎306可以将临时访问信息发送到与客户端设备302不同的一个或多个目的地。例如,在步骤452处,会话引擎306可以将临时访问信息(例如,临时密码)发送到目的地410。除了向客户端设备302发送临时访问信息之外或作为其替代,会话引擎306可以向目的地410发送临时访问信息。在临时访问信息没有被发送到客户端设备302的情况下,操作客户端设备302的用户可能必须从目的地410获得临时访问信息。在步骤454处,目的地(如果是设备)可以将临时访问信息发送到客户端设备302,或者如果对用户可访问,则用户可以能够从目的地410获得临时访问信息。如上所述,临时访问信息由用户提供给访问管理系统作为系统验证处理的一部分。在图4中,在步骤360处,客户端设备302可以从用户作为输入接收或者在步骤454处从目的地410接收临时访问信息。In some embodiments, after determining the temporary access information at step 350 , session engine 306 may send the temporary access information to one or more destinations different from client device 302 . For example, at step 452 , session engine 306 can send temporary access information (eg, a temporary password) to destination 410 . In addition to or instead of sending the temporary access information to the client device 302 , the session engine 306 can send the temporary access information to the destination 410 . In the event that the temporary access information is not sent to the client device 302 , the user operating the client device 302 may have to obtain the temporary access information from the destination 410 . At step 454, the destination (if a device) may send the temporary access information to the client device 302, or the user may be able to obtain the temporary access information from the destination 410 if accessible to the user. As noted above, temporary access information is provided by users to the access management system as part of the system's authentication process. In FIG. 4 , client device 302 may receive as input from a user at step 360 or temporary access information from destination 410 at step 454 .
在一些实施例中,作为系统验证的一部分,除了将个人信息发送到客户端设备302之外或作为其替代,访问管理系统可以将个人信息发送到一个或多个带外目的地(例如,目的地410)。例如,在步骤370处生成个人信息之后,会话引擎306可以将个人信息发送到目的地410。为了增强系统验证的安全性,可以将个人信息发送到带外目的地以防止未授权用户的访问。未授权用户可能不知道目的地的存在,并且即使如此,也可能不知道与系统验证处理相关的个人信息。在一些实施例中,可以在启动系统验证的客户端设备302和接收个人信息的一个或多个目的地之间共享个人信息。In some embodiments, the access management system may send personal information to one or more out-of-band destinations (e.g., destination land 410). For example, after generating the personal information at step 370 , conversation engine 306 may send the personal information to destination 410 . To enhance the security of system authentication, personal information can be sent to an out-of-band destination to prevent access by unauthorized users. An unauthorized user may not know the existence of a destination, and even so, may not know personal information related to system authentication processing. In some embodiments, personal information may be shared between a client device 302 that initiates system authentication and one or more destinations that receive the personal information.
继续系统验证处理,无论何处接收到的个人信息可以由用户进行评估以确定其是否正确。在一些实施例中,系统验证处理可以包括提供界面(例如,图8中的界面)以使得用户能够提供输入以指示个人信息是否正确。界面可以在客户端设备302或目的地410处呈现给用户。在图4的示例中,可以在步骤380处向用户呈现界面。在步骤380处,客户端设备302可以在客户端设备302处经由界面接收指示对个人信息的检验的输入。Continuing with the system validation process, wherever personal information is received, it can be evaluated by the user to determine if it is correct. In some embodiments, the system verification process may include providing an interface (eg, the interface in FIG. 8 ) to enable a user to provide input indicating whether the personal information is correct. The interface can be presented to the user at the client device 302 or at the destination 410 . In the example of FIG. 4 , an interface may be presented to the user at step 380 . At step 380, the client device 302 may receive input at the client device 302 via the interface indicating a verification of the personal information.
因此,通过提供一个或多个目的地作为系统验证的一部分,可以确保用户访问管理系统在系统验证期间没有信息被未授权用户破坏。Thus, by providing one or more destinations as part of system authentication, it is ensured that no information in the user access management system is compromised by unauthorized users during system authentication.
图5图示了根据实施例的用于使得用户能够验证访问管理系统的真实性的处理的流程图500。在一些实施例中,流程图500中绘出的处理可以由图1和图2的访问管理系统140来实现。FIG. 5 illustrates a flowchart 500 of a process for enabling a user to verify authenticity of an access management system, according to an embodiment. In some embodiments, the process depicted in flowchart 500 may be implemented by access management system 140 of FIGS. 1 and 2 .
流程图500可以在步骤502处通过确定用户是否被认证从客户端设备进行访问开始。例如,访问管理系统可以确定用户是否被认证以访问用户所请求的资源。可以确定对来自特定客户端设备(例如,用户请求访问的客户端设备)的访问的认证。可以基于由用户提供(例如,从用户操作的客户端设备接收到的)凭证信息(例如,用户标识和密码)来确定用户的认证。基于对凭证信息的检验,用户可以被认证从客户端设备进行访问。Flowchart 500 may begin at step 502 by determining whether a user is authenticated for access from a client device. For example, an access management system may determine whether a user is authenticated to access a resource requested by the user. Authentication of access from a particular client device (eg, a client device that a user requests access to) can be determined. Authentication of a user may be determined based on credential information (eg, user identification and password) provided by the user (eg, received from a client device operated by the user). Based on verification of the credential information, the user may be authenticated for access from the client device.
在一些实施例中,访问管理系统可以基于是否存在用于用户的有效会话(例如,SSO会话)来确定用户是否被认证。在确定有效会话存在之后,用户可以被认证。在一些实施例中,访问管理系统可以确定对于有效会话(如果存在的话),用户是否有权访问由用户请求的资源。In some embodiments, the access management system may determine whether a user is authenticated based on whether there is a valid session (eg, an SSO session) for the user. After determining that a valid session exists, the user can be authenticated. In some embodiments, the access management system may determine whether, for a valid session (if any), the user is entitled to access the resource requested by the user.
在步骤504处,可以将请求发送到由用户操作的客户端设备。请求可以被发送用于用户的凭证信息以认证用户。在确定用户未被认证(例如,未被认证访问资源)之后,可以发送请求。At step 504, a request may be sent to a client device operated by a user. A request may be sent for the user's credential information to authenticate the user. The request may be sent after determining that the user is not authenticated (eg, not authenticated to access the resource).
在步骤506处,可以从客户端设备接收验证请求。验证请求可以被提交以请求访问管理系统的计算系统的验证。请求认证的计算系统可以是从用户请求认证信息的同一计算系统。在一些实施例中,用户可以提交可以通过GUI(诸如下面参考图6进一步描述的GUI)提交的验证请求。GUI可以接收包括用户标识信息的输入。用户标识信息可以被包括在验证请求中。如下面进一步描述的,用户标识信息可以使得访问管理系统能够确定用于临时访问信息(例如,一次性密码)的通信的目的地。At step 506, an authentication request can be received from a client device. An authentication request may be submitted to request authentication of the computing system accessing the management system. The computing system requesting authentication may be the same computing system requesting authentication information from the user. In some embodiments, a user may submit a verification request that may be submitted through a GUI, such as the GUI described further below with reference to FIG. 6 . The GUI can receive input including user identification information. User identification information may be included in the authentication request. As described further below, user identification information may enable the access management system to determine the destination of communications for temporary access information (eg, one-time passwords).
可以在步骤508处识别与用户相关联的目的地。可以基于验证请求(例如,在步骤506处接收到的验证请求)中的用户标识信息来识别目的地。用户标识信息可以包括唯一识别用户的用户标识(例如,用户名)或其它信息(例如,电话号码或电子邮件地址)。在一个示例中,访问管理系统可以从身份管理系统检索由用户标识信息识别出的用户的简档。目的地可以基于简档来识别,该简档指示用于与用户通信的一个或多个目的地。目的地可以包括电子邮件地址、移动设备的电话号码或其中可以发送信息的任何其它位置。Destinations associated with the user may be identified at step 508 . The destination may be identified based on user identification information in an authentication request (eg, the authentication request received at step 506). User identification information may include a user identification (eg, username) or other information (eg, phone number or email address) that uniquely identifies the user. In one example, the access management system may retrieve a profile of a user identified by the user identification information from the identity management system. Destinations may be identified based on a profile indicating one or more destinations for communicating with the user. Destinations can include email addresses, phone numbers for mobile devices, or any other location where information can be sent.
在步骤510处,可以将临时访问信息发送到目的地。目的地可以是基于验证请求中的用户标识信息识别出的目的地。可以发送临时访问信息以供用户认证计算系统。临时访问信息可以是用户用来确认临时访问信息的发送者的一次性密码(OTP)。临时访问信息可以使得用户能够检验访问管理系统的计算系统实际上是访问管理系统的真正计算系统。At step 510, the temporary access information can be sent to the destination. The destination may be a destination identified based on user identification information in the verification request. Temporary access information may be sent for user authentication to the computing system. The temporary access information may be a one-time password (OTP) used by the user to confirm the sender of the temporary access information. Temporary access information may enable a user to verify that the computing system accessing the management system is actually the real computing system accessing the management system.
为了保护对由访问管理系统管理的用户账户的未授权访问,访问管理系统可以在与客户端设备不同的目的地处与用户通信。目的地可以是来自请求访问管理系统的验证的客户端设备的带外或信道外。目的地可以位于用户可访问或者可以对于用户可访问(例如,存储器中的位置或在远程计算系统处可访问的位置)的设备上。可以选择目的地,使得其对于意图欺骗性地获得对用户账户访问的未授权系统是未知的。例如,目的地是与发送验证请求的客户端设备(例如,终端)不同的客户端设备(例如,移动设备)。在另一个示例中,目的地是可以向其发送包括临时访问信息的电子邮件消息的电子邮件地址。在一些实施例中,目的地是从其接收到验证请求的同一客户端设备。To protect against unauthorized access to user accounts managed by the access management system, the access management system may communicate with the user at a different destination than the client device. The destination may be out-of-band or off-channel from a client device requesting authentication to access the management system. The destination may be located on a device that is or may be accessible to the user (eg, a location in memory or a location accessible at a remote computing system). The destination may be chosen such that it is unknown to unauthorized systems intended to fraudulently gain access to the user account. For example, the destination is a client device (eg, mobile device) different from the client device (eg, terminal) that sent the authentication request. In another example, the destination is an email address to which email messages including temporary access information can be sent. In some embodiments, the destination is the same client device from which the authentication request was received.
在步骤512处,可以从客户端设备(例如,发送验证请求的客户端设备)接收响应。响应可以包括发送到目的地的临时访问信息。用户可以从目的地获得临时访问信息。在一些实施例中,可以在客户端设备处呈现诸如参考图7所示的GUI,以接收由用户从目的地获得的临时访问信息。临时访问信息可以被包括在从GUI接收到的响应中。At step 512, a response may be received from a client device (eg, the client device that sent the authentication request). The response may include temporary access information sent to the destination. Users can obtain temporary access information from the destination. In some embodiments, a GUI such as that shown with reference to FIG. 7 may be presented at a client device to receive temporary access information obtained by a user from a destination. Temporary access information may be included in the response received from the GUI.
在步骤514处,可以检验在步骤512处的响应中接收到的临时访问信息。访问管理系统可以确定从客户端设备接收到的临时访问信息是否与发送到目的地的临时访问信息相同或匹配。在一些实施例中,临时访问信息可以是有限的或临时的,使得它与一个或多个约束(例如,时间段)相关联。临时访问信息虽然由目的地接收,但当(一个或多个)约束条件不满足时可能无效。检验临时访问信息可以包括确定用于临时访问信息的(一个或多个)约束是否已经被满足。At step 514, the temporary access information received in the response at step 512 may be checked. The access management system can determine whether the temporary access information received from the client device is the same or matches the temporary access information sent to the destination. In some embodiments, temporary access information may be limited or temporary such that it is associated with one or more constraints (eg, time periods). Temporary access information, although received by the destination, may be invalid when the constraint(s) are not met. Verifying the temporary access information may include determining whether the constraint(s) for the temporary access information have been satisfied.
在步骤516处,关于发送验证请求的客户端设备的用户的个人信息可以被发送到客户端设备。在检验临时访问信息满足约束之后,可以将个人信息发送到客户端设备。作为访问管理系统的验证的一部分,访问管理系统可以提供关于用户的个人信息以使得用户能够在用户向访问管理系统提供他/她的凭证之前检验其真实性。个人信息可以包括其它计算系统(例如,被设计为欺骗性地获得对用户账户的访问的网络钓鱼或黑客计算系统)不可访问的当前信息。个人信息可以由用户授权访问管理系统访问的一个或多个源供给。个人信息的示例可以包括财务信息(例如,最近交易、最近账户余额等)或其它私有或机密信息。个人信息可以包括最近已被更新的信息,使得未授权访问的机会可能性不大。At step 516, personal information about the user of the client device that sent the verification request may be sent to the client device. After verifying that the temporary access information satisfies the constraints, the personal information may be sent to the client device. As part of the authentication of the access management system, the access management system may provide personal information about the user to enable the user to verify the authenticity of his/her credentials before the user provides them to the access management system. Personal information may include current information that is not accessible to other computing systems (eg, phishing or hacking computing systems designed to fraudulently gain access to user accounts). Personal information may be supplied from one or more sources that the user authorizes the access management system to access. Examples of personal information may include financial information (eg, recent transactions, recent account balances, etc.) or other private or confidential information. Personal information may include information that has been updated recently, making the chance of unauthorized access less likely.
当客户端设备接收到个人信息时,客户端设备可以在GUI中显示个人信息,诸如参考图8描述的示例。通过GUI,用户可以检验个人信息以确认其真实性。GUI可以包括一个或多个交互元素,以接收与在步骤506处与验证请求一起接收到的用户标识信息相关联的用户的个人信息和凭证信息(例如,密码)的确认。When the client device receives the personal information, the client device may display the personal information in a GUI, such as the example described with reference to FIG. 8 . Through the GUI, the user can verify personal information to confirm its authenticity. The GUI may include one or more interactive elements to receive confirmation of the user's personal information and credential information (eg, a password) associated with the user identification information received with the verification request at step 506 .
在步骤518处,可以从请求访问管理系统的验证的客户端设备接收响应。响应于经由GUI接收到的指示检验在步骤516处发送的个人信息准确的输入,可以从客户端设备接收响应。响应可以包括确认个人信息的用户的凭证数据。凭证数据可以包括用于访问与在步骤506处接收到的用户标识信息相关联的账户的凭证信息(例如,密码)。At step 518, a response may be received from the client device requesting authentication to access the management system. A response may be received from the client device in response to an input received via the GUI indicating that the personal information sent at step 516 was verified to be accurate. The response may include the user's credential data confirming the personal information. The credential data may include credential information (eg, a password) for accessing an account associated with the user identification information received at step 506 .
在步骤518处发送响应的用户可以被认证以确定从客户端设备对资源的访问。可以基于在步骤518处接收到的凭证数据来认证用户。可以将凭证数据与存储的用于用户的用户标识信息的凭证信息进行比较,以确定它们是否匹配。在步骤520处,在确定凭证数据与存储的凭证信息匹配之后,可以认证用户访问资源。在用户认证之后,可以在客户端设备处为用户建立会话以访问资源。在一些实施例中,可以基于在步骤518处接收到的响应中的接收确认来进一步认证用户。基于确定用户被认证从客户端设备访问资源,可以向用户授权访问。该流程图在步骤522处结束。The user sending the response at step 518 may be authenticated to determine access to the resource from the client device. The user may be authenticated based on the credential data received at step 518 . The credential data may be compared to stored credential information for the user's user identification information to determine if they match. At step 520, after determining that the credential data matches the stored credential information, the user may be authenticated to access the resource. After user authentication, a session can be established for the user at the client device to access resources. In some embodiments, the user may be further authenticated based on a confirmation of receipt in the response received at step 518 . Based on determining that the user is authenticated to access the resource from the client device, access may be granted to the user. The flowchart ends at step 522 .
图6-9图示出根据实施例的用于使得用户能够验证访问管理系统的真实性的界面(例如,GUI)。图6-9中的每个GUI可以显示在应用中,例如图1的应用108中。GUI 600可以由管理对一个或多个资源的访问的访问管理应用显示。GUI 600可以由客户端设备生成、可以从生成GUI的访问管理系统接收、或者其组合。GUI 600可以由访问管理系统经由网络提供作为服务(例如,云服务)或网络可访问应用的一部分。在至少一个示例中,访问管理系统的操作员可以操作客户端设备以与GUI 600进行交互。6-9 illustrate interfaces (eg, GUIs) for enabling a user to verify authenticity of an access management system, according to an embodiment. Each of the GUIs in FIGS. 6-9 may be displayed in an application, such as application 108 of FIG. 1 . GUI 600 may be displayed by an access management application that manages access to one or more resources. GUI 600 may be generated by a client device, may be received from an access management system generating the GUI, or a combination thereof. GUI 600 may be provided by the access management system via a network as part of a service (eg, a cloud service) or a network-accessible application. In at least one example, an operator of the access management system may operate a client device to interact with GUI 600 .
现在转到图6,描绘了使得用户能够输入凭证信息以建立会话(例如,SSO会话)来访问一个或多个资源的GUI 600。GUI 600可以包括一个或多个交互元素以使得用户能够获得对提供会话的账户的访问。例如,GUI 600可以包括交互元素610以接收诸如用户标识信息(例如,用户名)的凭证信息。GUI 600可以包括接收输入以启动用于用户的认证的访问处理(例如,登录处理)的交互元素630。访问处理可以使得用户能够访问由访问管理系统管理的账户。通过启动访问处理,可以显示关于图9描述的GUI以接收输入,例如,凭证信息(例如,密码),以确定与用户标识信息相关联的用户的访问。Turning now to FIG. 6 , depicted is a GUI 600 that enables a user to enter credential information to establish a session (eg, an SSO session) to access one or more resources. GUI 600 may include one or more interactive elements to enable a user to gain access to an account providing a session. For example, GUI 600 may include interactive element 610 to receive credential information such as user identification information (eg, username). GUI 600 may include an interactive element 630 that receives input to initiate an access process (eg, a login process) for authentication of a user. Access processing may enable a user to access an account managed by the access management system. By initiating the access process, the GUI described with respect to FIG. 9 may be displayed to receive input, such as credential information (eg, a password), to determine access for a user associated with user identification information.
在一些实施例中,GUI 600可以包括交互元素620,该交互元素620接收输入以启动确认请求来确定经由GUI 600请求凭证信息的计算系统的真实性。通过启动确认请求,可以使得用户能够确定请求凭证信息的计算系统是否实际上是管理对与凭证信息相关联的账户的访问的真正(例如,非欺诈性)系统。In some embodiments, GUI 600 may include an interactive element 620 that receives input to initiate a confirmation request to determine the authenticity of a computing system requesting credential information via GUI 600 . By initiating the confirmation request, the user may be enabled to determine whether the computing system requesting the credential information is actually a genuine (eg, non-fraudulent) system managing access to the account associated with the credential information.
图7中,描绘了使得用户能够输入临时访问信息(例如,一次性密码)的GUI 700。如上所述,临时访问信息可以由客户端设备从访问管理系统的计算系统接收作为认证处理的一部分。访问管理系统可以通过向目的地(例如,与请求访问管理系统的验证的客户端设备不同的设备)发送临时访问信息来建立其真实性。作为验证访问管理系统的处理的一部分,访问管理系统可以向客户端设备(例如,启动验证请求的客户端设备)发送请求以接收发送到目的地的临时访问信息。在一些实施例中,客户端设备可以显示经由交互元素710接收临时访问信息的GUI 700。GUI 700可以包括交互元素720,该交互元素720接收向访问管理系统发送(例如,提交)临时访问信息的输入。临时访问信息可以被提交给访问管理系统。访问管理系统可以确认用户对临时访问信息的检验。访问管理系统可以检验临时访问信息以确定它是否与发送到目的地的临时访问信息匹配。In FIG. 7, a GUI 700 is depicted that enables a user to enter temporary access information (eg, a one-time password). As noted above, temporary access information may be received by the client device from the computing system of the access management system as part of the authentication process. The access management system may establish its authenticity by sending the temporary access information to a destination (eg, a device different from the client device requesting authentication of the access management system). As part of the process of authenticating the access management system, the access management system may send a request to a client device (eg, the client device that initiated the authentication request) to receive temporary access information sent to the destination. In some embodiments, a client device may display GUI 700 for receiving temporary access information via interactive element 710 . GUI 700 may include an interactive element 720 that receives input to send (eg, submit) temporary access information to an access management system. Temporary access information may be submitted to an access management system. The access management system can confirm user verification of temporary access information. The access management system can check the temporary access information to determine if it matches the temporary access information sent to the destination.
在图8中,示出了使得用户能够确定访问管理系统的真实性的GUI 800。GUI 800可以显示关于请求访问管理系统的验证的用户的个人信息。如上所述,访问管理系统可以将关于用户的个人信息发送到由请求访问管理系统的验证的用户操作的客户端设备。个人信息可以在检验从用户接收到的临时访问信息之后发送给用户。在一些实施例中,可以将个人信息发送给启动请求以确定访问管理系统的真实性的客户端设备。In FIG. 8, a GUI 800 is shown that enables a user to determine the authenticity of access to the management system. GUI 800 may display personal information about a user requesting authentication to access the management system. As described above, the access management system may transmit personal information about the user to a client device operated by the user requesting authentication of the access management system. Personal information may be sent to the user after checking the temporary access information received from the user. In some embodiments, personal information may be sent to a client device that initiates a request to determine the authenticity of access to the management system.
客户端设备可以显示GUI 800以提供用于由操作客户端设备的用户检验的个人信息。个人信息可以作为用于验证访问管理系统的真实性的处理的一部分来提供。用户可以查看由GUI 800显示的个人信息以确定它是否准确。GUI 800可以包括一个或多个交互元素以接收指示个人信息是否准确的输入。(一个或多个)交互元素可以使得用户能够向访问管理系统提交请求来确认个人信息的准确性。在一些实施例中,GUI 800中的(一个或多个)交互元素可以接收输入以发送访问为其显示个人信息的用户的账户的访问请求(例如,登录请求)。例如,GUI 800可以包括接收用于请求访问账户的输入的交互元素820。在经由交互元素820接收到输入之后,访问请求可以被提交给访问管理系统。GUI 800可以包括交互元素810以接收访问为其显示个人信息的用户的账户的访问信息(例如,密码)。访问信息可以与在参考图6描述的GUI中接收到的用户标识信息对应。可以将访问信息与访问请求一起提交给访问管理系统。访问管理系统可以基于检验使用GUI 800提交的访问信息来确定对账户的访问。The client device may display GUI 800 to provide personal information for verification by the user operating the client device. Personal information may be provided as part of the processing used to verify the authenticity of the access management system. A user can review the personal information displayed by GUI 800 to determine if it is accurate. GUI 800 may include one or more interactive elements to receive input indicating whether personal information is accurate. The interactive element(s) may enable the user to submit a request to the access management system to confirm the accuracy of the personal information. In some embodiments, interactive element(s) in GUI 800 may receive input to send an access request (eg, a login request) to access an account of the user for which personal information is displayed. For example, GUI 800 may include an interactive element 820 that receives input for requesting access to an account. After input is received via interactive element 820, the access request may be submitted to the access management system. GUI 800 may include an interactive element 810 to receive access information (eg, a password) to access an account of a user for which personal information is displayed. The access information may correspond to user identification information received in the GUI described with reference to FIG. 6 . Access information may be submitted to an access management system along with an access request. The access management system may determine access to an account based on examining access information submitted using GUI 800 .
图9描绘了使得用户能够提供访问信息(例如,密码)以请求访问与用户相关联的账户的GUI 900。账户可以由与账户相关联的用户标识来识别。用户标识信息可以在不同的GUI中提供,例如,参考图6描述的GUI 600。GUI 900可以在通过与图6的交互元素630交互而启动访问处理时显示。GUI 900可以包括交互元素910以接收账户的凭证信息。交互元素920可以是交互式的,以基于凭证信息确定登录处理。在一些实施例中,当用户决定不验证访问管理系统的真实性时,可以显示GUI 900。在一些实施例中,可以组合GUI 900和GUI 600以减少用户为访问处理提供凭证信息的步骤数量。FIG. 9 depicts a GUI 900 that enables a user to provide access information (eg, a password) to request access to an account associated with the user. An account can be identified by a user identification associated with the account. User identification information may be provided in a different GUI, for example, GUI 600 described with reference to FIG. 6 . GUI 900 may be displayed when an access process is initiated by interacting with interactive element 630 of FIG. 6 . GUI 900 may include an interactive element 910 to receive credential information for an account. Interactive element 920 may be interactive to determine login processing based on credential information. In some embodiments, GUI 900 may be displayed when a user decides not to verify authenticity to access the management system. In some embodiments, GUI 900 and GUI 600 may be combined to reduce the number of steps for a user to provide credential information for an access process.
图10绘出了用于实现实施例的分布式系统1000的简化图。在所示的实施例中,分布式系统1000包括一个或多个客户端计算设备1002、1004、1006和1008,这些客户端计算设备被配置为通过一个或多个网络1010执行和操作客户端应用,诸如web浏览器、专有客户端(例如Oracle Forms)等。服务器1012可以经由网络1010与远程客户端计算设备1002、1004、1006和1008通信地耦合。Figure 10 depicts a simplified diagram of a distributed system 1000 for implementing an embodiment. In the illustrated embodiment, distributed system 1000 includes one or more client computing devices 1002, 1004, 1006, and 1008 configured to execute and operate client applications over one or more networks 1010 , such as web browsers, proprietary clients (such as Oracle Forms), etc. Server 1012 may be communicatively coupled to remote client computing devices 1002 , 1004 , 1006 , and 1008 via network 1010 .
在各种实施例中,服务器1012可以适于运行一个或多个服务或软件应用。在某些实施例中,服务器1012还可以提供其它服务,或者软件应用可以包括非虚拟和虚拟环境。在一些实施例中,这些服务可以作为基于web的或云服务或者在软件即服务(SaaS)模型下提供给客户端计算设备1002、1004、1006和/或1008的用户。操作客户端计算设备1002、1004、1006和/或1008的用户可以进而利用一个或多个客户端应用与服务器1012交互,以利用由这些部件提供的服务。In various embodiments, server 1012 may be adapted to run one or more services or software applications. In some embodiments, server 1012 may also provide other services, or software applications may include non-virtualized and virtualized environments. In some embodiments, these services may be provided to users of client computing devices 1002, 1004, 1006, and/or 1008 as web-based or cloud services, or under a software-as-a-service (SaaS) model. Users operating client computing devices 1002, 1004, 1006, and/or 1008 may in turn utilize one or more client applications to interact with server 1012 to utilize the services provided by these components.
在图10所绘出的配置中,系统1000的软件部件1018、1020和1022被示为在服务器1012上实现。在其它实施例中,系统1000的一个或多个部件和/或由这些部件提供的服务也可以由客户端计算设备1002、1004、1006和/或1008中的一个或多个实现。操作客户端计算设备的用户然后可以利用一个或多个客户端应用来使用由这些部件提供的服务。这些部件可以用硬件、固件、软件或其组合实现。应当理解,各种不同的系统配置是可能的,其可以与分布式系统1000不同。因此,图10中所示的实施例是用于实现实施例系统的分布式系统的一个示例,并且不旨在进行限制。In the configuration depicted in FIG. 10 , software components 1018 , 1020 , and 1022 of system 1000 are shown implemented on server 1012 . In other embodiments, one or more components of system 1000 and/or services provided by those components may also be implemented by one or more of client computing devices 1002 , 1004 , 1006 , and/or 1008 . A user operating a client computing device may then utilize one or more client applications to utilize the services provided by these components. These components may be implemented in hardware, firmware, software or a combination thereof. It should be understood that various different system configurations are possible, which may differ from distributed system 1000 . Accordingly, the embodiment shown in FIG. 10 is one example of a distributed system for implementing an embodiment system, and is not intended to be limiting.
客户端计算设备1002、1004、1006和/或1008可以包括各种类型的计算系统。例如,客户端计算设备可以包括便携式手持设备(例如,蜂窝电话、计算平板、个人数字助理(PDA))或可穿戴设备(例如,Google头戴式显示器),其运行诸如Microsoft Windows之类的软件和/或诸如iOS、Windows Phone、Android、BlackBerry 10,Palm OS之类的各种移动操作系统。设备可以支持各种应用,诸如各种互联网相关的应用、电子邮件、短消息服务(SMS)应用,并且可以使用各种其它通信协议。客户端计算设备还可以包括通用个人计算机,作为示例,运行各种版本的MicrosoftApple和/或Linux操作系统的个人计算机和/或膝上型计算机。客户端计算设备可以是运行任何各种商用的或类UNIX操作系统(包括但不限于诸如像Google Chrome OS的各种GNU/Linux操作系统)的工作站计算机。客户端计算设备还可以包括能够提供(一个或多个)网络1010通信的电子设备,诸如瘦客户端计算机、启用互联网的游戏系统(例如,具有或不具有手势输入设备的Microsoft游戏控制台)和/或个人消息传送设备。Client computing devices 1002, 1004, 1006, and/or 1008 may include various types of computing systems. For example, a client computing device may include a portable handheld device (e.g., cell phone, Computing tablets, personal digital assistants (PDAs)) or wearable devices (e.g., Google head-mounted display), which run such as Microsoft Windows and/or various mobile operating systems such as iOS, Windows Phone, Android, BlackBerry 10, Palm OS. The device may support various applications, such as various Internet-related applications, email, Short Message Service (SMS) applications, and may use various other communication protocols. Client computing devices can also include general-purpose personal computers, as examples, running various versions of Microsoft Apple and/or a personal computer and/or laptop with a Linux operating system. Client computing devices can be any of a variety of commercial or a workstation computer with a UNIX-like operating system (including but not limited to various GNU/Linux operating systems such as Google Chrome OS). Client computing devices may also include electronic devices capable of providing network(s) 1010 communications, such as thin client computers, Internet-enabled gaming systems (e.g., with or without Microsoft Gesture Input Devices game consoles) and/or personal messaging devices.
虽然图10中的分布式系统1000被示为具有四个客户端计算设备,但是可以支持任何数量的客户端计算设备。其它设备,诸如具有传感器的设备等,可以与服务器1012交互。Although the distributed system 1000 in FIG. 10 is shown with four client computing devices, any number of client computing devices may be supported. Other devices, such as devices with sensors, etc., may interact with the server 1012 .
分布式系统1000中的(一个或多个)网络1010可以是对本领域技术人员熟悉的可以利用任何各种可用协议支持数据通信的任何类型的网络,其中各种协议包括但不限于TCP/IP(传输控制协议/互联网协议)、SNA(系统网络体系架构)、IPX(互联网分组交换)、AppleTalk等。仅仅作为示例,(一个或多个)网络1010可以是局域网(LAN)、基于以太网的网络、令牌环、广域网、互联网、虚拟网络、虚拟专用网络(VPN)、内联网、外联网、公共交换电话网络(PSTN)、红外网络、无线网络(例如,在任何电气和电子协会(IEEE)802.11协议套件、和/或任何其它无线协议下操作的网络)和/或这些和/或其它网络的任意组合。Network(s) 1010 in distributed system 1000 can be any type of network familiar to those skilled in the art that can support data communications using any of a variety of available protocols, including but not limited to TCP/IP ( Transmission Control Protocol/Internet Protocol), SNA (System Network Architecture), IPX (Internet Packet Exchange), AppleTalk, etc. By way of example only, network(s) 1010 may be a local area network (LAN), an Ethernet-based network, a token ring, a wide area network, the Internet, a virtual network, a virtual private network (VPN), an intranet, an extranet, a public Switched Telephone Network (PSTN), Infrared Network, Wireless Network (for example, in any Institute of Electrical and Electronics (IEEE) 802.11 protocol suite, and/or any other network operating under a wireless protocol) and/or any combination of these and/or other networks.
服务器1012可以由一个或多个通用计算机、专用服务器计算机(作为示例,包括PC(个人计算机)服务器、服务器、中档服务器、大型计算机、机架安装的服务器等)、服务器场、服务器集群或任何其它适当的布置和/或组合组成。服务器1012可以包括运行虚拟操作系统的一个或多个虚拟机,或涉及虚拟化的其它计算体系架构。一个或多个灵活的逻辑存储设备池可以被虚拟化,以维护用于服务器的虚拟存储设备。虚拟网络可以由服务器1012利用软件定义的联网来控制。在各种实施例中,服务器1012可以适于运行在前述公开内容中描述的一个或多个服务或软件应用。例如,服务器1012可以与根据本公开的实施例的用于如上所述执行处理的服务器对应。Server 1012 may be comprised of one or more general purpose computers, dedicated server computers (including, by way of example, PC (personal computer) servers, servers, mid-range servers, mainframe computers, rack-mounted servers, etc.), server farms, server clusters, or any other suitable arrangement and/or combination. Server 1012 may include one or more virtual machines running virtual operating systems, or other computing architectures involving virtualization. One or more pools of flexible logical storage devices can be virtualized to maintain virtual storage devices for servers. The virtual network can be controlled by the server 1012 using software defined networking. In various embodiments, server 1012 may be adapted to run one or more of the services or software applications described in the foregoing disclosure. For example, the server 1012 may correspond to a server for performing processing as described above according to an embodiment of the present disclosure.
服务器1012可以运行包括以上讨论的任何操作系统的操作系统,以及任何商用的服务器操作系统。服务器1012还可以运行任何各种附加的服务器应用和/或中间层应用,包括HTTP(超文本传输协议)服务器、FTP(文件传输协议)服务器、CGI(公共网关接口)服务器、服务器、数据库服务器等。示例性数据库服务器包括但不限于可从Oracle、Microsoft、Sybase、IBM(国际商业机器)等商业获得的数据库服务器。Server 1012 can run an operating system including any of the operating systems discussed above, as well as any commercially available server operating system. Server 1012 can also run any of various additional server applications and/or middle-tier applications, including HTTP (Hypertext Transfer Protocol) servers, FTP (File Transfer Protocol) servers, CGI (Common Gateway Interface) servers, server, database server, etc. Exemplary database servers include, but are not limited to, those commercially available from Oracle, Microsoft, Sybase, IBM (International Business Machines), and the like.
在一些实现中,服务器1012可以包括一个或多个应用,以分析和整合从客户端计算设备1002、1004、1006和1008的用户接收到的数据馈送和/或事件更新。作为示例,数据馈送和/或事件更新可以包括但不限于从一个或多个第三方信息源和持续数据流接收到的馈送、更新或实时更新,其可以包括与传感器数据应用、金融报价机、网络性能测量工具(例如,网络监视和流量管理应用)、点击流分析工具、汽车流量监视等相关的实时事件。服务器1012还可以包括经由客户端计算设备1002、1004、1006和1008的一个或多个显示设备显示数据馈送和/或实时事件的一个或多个应用。In some implementations, server 1012 may include one or more applications to analyze and integrate data feeds and/or event updates received from users of client computing devices 1002 , 1004 , 1006 , and 1008 . By way of example, data feeds and/or event updates may include, but are not limited to, information received from one or more third-party information sources and ongoing data streams feed, Updates or real-time updates, which may include real-time events related to sensor data applications, financial tickers, network performance measurement tools (eg, network monitoring and traffic management applications), clickstream analysis tools, automotive traffic monitoring, and the like. Server 1012 may also include one or more applications that display data feeds and/or real-time events via one or more display devices of client computing devices 1002 , 1004 , 1006 , and 1008 .
分布式系统1000也可以包括一个或多个数据库1014和1016。这些数据库可以提供用于存储信息的机制,诸如用户交互信息、使用模式信息、适应规则信息以及由本发明的实施例使用的其它信息。数据库1014和1016可以驻留在各种位置中。作为示例,数据库1014和1016中的一个或多个可以驻留在服务器1012本地(和/或驻留在其中)的非瞬态存储介质上。可替代地,数据库1014和1016可以远离服务器1012,并且经由基于网络的或专用的连接与服务器1012通信。在一组实施例中,数据库1014和1016可以驻留在存储区域网络(SAN)中。类似地,用于执行服务器1012所具有的功能的任何必要的文件可以适当地在服务器1012本地存储和/或远程存储。在一组实施例中,数据库1014和1016可以包括适于响应于SQL格式的命令存储、更新和检索数据的关系数据库,诸如由Oracle提供的数据库。Distributed system 1000 may also include one or more databases 1014 and 1016 . These databases may provide mechanisms for storing information such as user interaction information, usage pattern information, adaptation rule information, and other information used by embodiments of the present invention. Databases 1014 and 1016 may reside in various locations. As an example, one or more of databases 1014 and 1016 may reside on a non-transitory storage medium local to (and/or within) server 1012 . Alternatively, databases 1014 and 1016 may be remote from server 1012 and communicate with server 1012 via a network-based or dedicated connection. In one set of embodiments, databases 1014 and 1016 may reside on a storage area network (SAN). Similarly, any necessary files for performing the functions possessed by the server 1012 may be stored locally on the server 1012 and/or remotely as appropriate. In one set of embodiments, databases 1014 and 1016 may comprise relational databases adapted to store, update, and retrieve data in response to SQL-formatted commands, such as those provided by Oracle.
在一些实施例中,云环境可以提供一个或多个服务。图11是根据本公开内容的实施例、其中服务可以被提供为云服务的系统环境1100的一个或多个部件的简化框图。在图11所示的实施例中,系统环境1100包括可以被用户用来与提供云服务的云基础设施系统1102交互的一个或多个客户端计算设备1104、1106和1108。云基础设施系统1102可以包括一个或多个计算机和/或服务器,其可以包括以上针对服务器1012所描述的那些。In some embodiments, a cloud environment may provide one or more services. FIG. 11 is a simplified block diagram of one or more components of a system environment 1100 in which services may be provided as cloud services, according to an embodiment of the disclosure. In the embodiment shown in FIG. 11 , a system environment 1100 includes one or more client computing devices 1104 , 1106 , and 1108 that can be used by a user to interact with a cloud infrastructure system 1102 that provides cloud services. Cloud infrastructure system 1102 may include one or more computers and/or servers, which may include those described above for server 1012 .
应当认识到的是,图11中所绘出的云基础设施系统1102可以具有除所绘出的那些之外的其它部件。另外,图11中所示的实施例仅仅是可以结合本发明的实施例的云基础设施系统的一个示例。在一些其它实施例中,云基础设施系统1102可以具有比图中所示出的更多或更少的部件、可以合并两个或更多个部件、或者可以具有不同的部件配置或布置。It should be appreciated that the cloud infrastructure system 1102 depicted in FIG. 11 may have other components than those depicted. Additionally, the embodiment shown in FIG. 11 is only one example of a cloud infrastructure system that may incorporate embodiments of the present invention. In some other embodiments, cloud infrastructure system 1102 may have more or fewer components than shown in the figure, may combine two or more components, or may have a different configuration or arrangement of components.
客户端计算设备1104、1106和1108可以是与以上针对客户端计算设备1002、1004、1006和1008描述的那些设备类似的设备。客户端计算设备1104、1106和1108可以被配置为操作客户端应用,诸如web浏览器、专有客户端应用(例如,Oracle Forms)或可以被客户端计算设备的用户使用以与云基础设施系统1102交互来使用由云基础设施系统1102提供的服务的一些其它应用。虽然示例性系统环境1100被示为具有三个客户端计算设备,但是可以支持任何数量的客户端计算设备。诸如具有传感器的设备等的其它设备可以与云基础设施系统1102交互。Client computing devices 1104 , 1106 , and 1108 may be devices similar to those described above for client computing devices 1002 , 1004 , 1006 , and 1008 . Client computing devices 1104, 1106, and 1108 may be configured to operate client applications, such as web browsers, proprietary client applications (e.g., Oracle Forms), or may be used by users of client computing devices to communicate with cloud infrastructure systems 1102 interacts with some other application to use the services provided by the cloud infrastructure system 1102. Although the exemplary system environment 1100 is shown with three client computing devices, any number of client computing devices may be supported. Other devices, such as devices with sensors, can interact with the cloud infrastructure system 1102 .
(一个或多个)网络1110可以促进客户端计算设备1104、1106和1108与云基础设施系统1102之间的通信和数据交换。每个网络可以是对本领域技术人员熟悉的可以利用任何各种商用的协议支持数据通信的任何类型的网络,其中协议包括以上针对(一个或多个)网络1010所描述的协议。Network(s) 1110 can facilitate communication and data exchange between client computing devices 1104 , 1106 , and 1108 and cloud infrastructure system 1102 . Each network may be any type of network familiar to those skilled in the art that can support data communications using any of a variety of commercially available protocols, including those described above for network(s) 1010 .
在某些实施例中,由云基础设施系统1102提供的服务可以包括按需对云基础设施系统的用户可用的服务的主机。还可以提供各种其它服务,包括但不限于在线数据存储和备份解决方案、基于Web的电子邮件服务、托管的办公套件和文档协作服务、数据库处理、受管理的技术支持服务等。由云基础设施系统提供的服务可以动态扩展,以满足其用户的需求。In some embodiments, the services provided by the cloud infrastructure system 1102 may include hosting of services available on demand to users of the cloud infrastructure system. Various other services may also be provided, including but not limited to online data storage and backup solutions, web-based email services, hosted office suite and document collaboration services, database processing, managed technical support services, and more. Services provided by cloud infrastructure systems can be dynamically expanded to meet the needs of their users.
在某些实施例中,由云基础设施系统1102提供的服务的具体实例化在本文中可以被称为“服务实例”。一般而言,经由通信网络(诸如互联网)从云服务提供者的系统使得对用户可用的任何服务被称为“云服务”。通常,在公共云环境中,构成云服务提供者的系统的服务器和系统与消费者自己的本地服务器和系统不同。例如,云服务提供者的系统可以托管应用,并且用户可以经由诸如互联网的通信网络按需订购和使用应用。In certain embodiments, specific instantiations of services provided by cloud infrastructure system 1102 may be referred to herein as "service instances." In general, any service made available to a user from a cloud service provider's system via a communication network such as the Internet is referred to as a "cloud service." Typically, in a public cloud environment, the servers and systems that make up the cloud service provider's system are different from the customer's own on-premises servers and systems. For example, a cloud service provider's system can host applications, and users can order and use applications on demand via a communication network such as the Internet.
在一些示例中,计算机网络云基础设施中的服务可以包括对存储装置、托管的数据库、托管的web服务器、软件应用或者由云供应商向用户提供的其它服务的受保护的计算机网络访问,或者如本领域中另外已知的。例如,服务可以包括通过互联网对云上的远程存储的受密码保护的访问。作为另一个示例,服务可以包括基于web服务的托管的关系数据库和脚本语言中间件引擎,用于由联网的开发人员私人使用。作为另一个示例,服务可以包括对在云供应商的网站上托管的电子邮件软件应用的访问。In some examples, services in a computer network cloud infrastructure may include protected computer network access to storage, hosted databases, hosted web servers, software applications, or other services provided by the cloud provider to users, or as otherwise known in the art. For example, a service may include password-protected access over the Internet to remote storage on the cloud. As another example, a service may include a web service-based hosted relational database and scripting language middleware engine for private use by networked developers. As another example, a service may include access to an email software application hosted on a cloud provider's website.
在某些实施例中,云基础设施系统1102可以包括以自助服务、基于订阅、弹性可扩展、可靠、高度可用和安全的方式交付给消费者的应用套件、中间件和数据库服务产品。这种云基础设施系统的示例是由本受让人提供的Oracle Public Cloud(Oracle公共云)。In some embodiments, cloud infrastructure system 1102 may include application suites, middleware, and database service offerings delivered to consumers in a self-service, subscription-based, elastically scalable, reliable, highly available, and secure manner. An example of such a cloud infrastructure system is Oracle Public Cloud (Oracle Public Cloud) provided by the present assignee.
云基础设施系统1102还可以提供与“大数据”相关的计算和分析服务。术语“大数据”一般用来指可由分析员和研究者存储和操纵以可视化大量数据、检测趋势和/或以其它方式与数据交互的极大数据集。这种大数据和相关应用可以在许多级别和不同规模上由基础设施系统托管和/或操纵。并行链接的数十个、数百个或数千个处理器可以作用于这种数据,以便呈现其或者模拟对数据或其所表示的内容的外力。这些数据集可以涉及结构化数据,诸如在数据库中组织或以其它方式根据结构化模型组织的数据,和/或者非结构化数据(例如,电子邮件、图像、数据blob(二进制大对象)、网页、复杂事件处理)。通过利用实施例相对快速地将更多(或更少)的计算资源聚焦在目标上的能力,云基础设施系统可以更好地用于基于来自企业、政府机构、研究组织、私人个人、一群志同道合的个人或组织或其它实体的需求在大数据集上执行任务。The cloud infrastructure system 1102 can also provide computing and analysis services related to "big data". The term "big data" is generally used to refer to extremely large data sets that can be stored and manipulated by analysts and researchers to visualize large volumes of data, detect trends, and/or otherwise interact with the data. Such big data and related applications can be hosted and/or manipulated by infrastructure systems at many levels and at different scales. Dozens, hundreds or thousands of processors linked in parallel can act on this data in order to render it or simulate external forces on the data or what it represents. These data sets may involve structured data, such as data organized in databases or otherwise according to structured models, and/or unstructured data (e.g., emails, images, data blobs (binary large objects), web pages , complex event processing). By utilizing the ability of embodiments to focus more (or less) computing resources on a target relatively quickly, cloud infrastructure systems can be better used to The needs of individuals or organizations or other entities to perform tasks on large data sets.
在各种实施例中,云基础设施系统1102可以适于自动地供应、管理和跟踪消费者对由云基础设施系统1102提供的服务的订阅。云基础设施系统1102可以经由不同的部署模型提供云服务。例如,服务可以在公共云模型下提供,其中云基础设施系统1102由销售云服务的组织拥有(例如,由Oracle公司拥有)并且使服务对一般公众或不同的工业企业可用。作为另一个示例,服务可以在私有云模型下提供,其中云基础设施系统1102仅针对单个组织操作,并且可以为组织内的一个或多个实体提供服务。云服务还可以在社区云模型下提供,其中云基础设施系统1102和由云基础设施系统1102提供的服务由相关社区中的若干个组织共享。云服务还可以在混合云模型下提供,混合云模型是两个或更多个不同模型的组合。In various embodiments, cloud infrastructure system 1102 may be adapted to automatically provision, manage, and track consumer subscriptions to services provided by cloud infrastructure system 1102 . Cloud infrastructure system 1102 can provide cloud services via different deployment models. For example, services may be provided under a public cloud model, where cloud infrastructure system 1102 is owned by an organization that sells cloud services (eg, by Oracle Corporation) and makes the services available to the general public or to various industrial enterprises. As another example, services may be provided under a private cloud model, where cloud infrastructure system 1102 operates only for a single organization, and may provide services to one or more entities within the organization. Cloud services can also be provided under a community cloud model, where the cloud infrastructure system 1102 and the services provided by the cloud infrastructure system 1102 are shared by several organizations in a related community. Cloud services can also be provided under a hybrid cloud model, which is a combination of two or more different models.
在一些实施例中,由云基础设施系统1102提供的服务可以包括在软件即服务(SaaS)类别、平台即服务(PaaS)类别、基础设施即服务(IaaS)类别、或包括混合服务的服务的其它类别下提供的一个或多个服务。消费者经由订阅订单可以订购由云基础设施系统1102提供的一个或多个服务。云基础设施系统1102然后执行处理,以提供消费者的订阅订单中的服务。In some embodiments, the services provided by the cloud infrastructure system 1102 may be included in the Software as a Service (SaaS) category, Platform as a Service (PaaS) category, Infrastructure as a Service (IaaS) category, or services including hybrid services One or more services provided under other categories. A customer may subscribe to one or more services provided by the cloud infrastructure system 1102 via a subscription order. The cloud infrastructure system 1102 then performs processing to provide the services in the customer's subscription order.
在一些实施例中,由云基础设施系统1102提供的服务可以包括但不限于应用服务、平台服务和基础设施服务。在一些示例中,应用服务可以由云基础设施系统经由SaaS平台提供。SaaS平台可以被配置为提供属于SaaS类别的云服务。例如,SaaS平台可以提供在集成的开发和部署平台上构建和交付点播应用套件的能力。SaaS平台可以管理和控制用于提供SaaS服务的底层软件和基础设施。通过利用由SaaS平台提供的服务,消费者可以利用在云基础设施系统上执行的应用。消费者可以获取应用服务,而无需消费者单独购买许可证和支持。可以提供各种不同的SaaS服务。示例包括但不限于为大型组织提供用于销售绩效管理、企业集成和业务灵活性的解决方案的服务。In some embodiments, services provided by cloud infrastructure system 1102 may include, but are not limited to, application services, platform services, and infrastructure services. In some examples, application services may be provided by a cloud infrastructure system via a SaaS platform. A SaaS platform can be configured to provide cloud services belonging to the SaaS category. For example, a SaaS platform can provide the ability to build and deliver on-demand application suites on an integrated development and deployment platform. A SaaS platform can manage and control the underlying software and infrastructure used to provide SaaS services. By utilizing services provided by the SaaS platform, consumers can utilize applications executed on the cloud infrastructure system. Consumers can acquire application services without requiring consumers to purchase licenses and support separately. A variety of different SaaS services can be provided. Examples include, but are not limited to, services that provide solutions for sales performance management, enterprise integration, and business agility to large organizations.
在一些实施例中,平台服务可以由云基础设施系统1102经由PaaS平台提供。PaaS平台可以被配置为提供属于PaaS类别的云服务。平台服务的示例可以包括但不限于使组织(诸如Oracle)能够在共享的共同体系架构上整合现有应用的服务,以及利用由平台提供的共享服务构建新应用的能力。PaaS平台可以管理和控制用于提供PaaS服务的底层软件和基础设施。消费者可以获取由云基础设施系统1102提供的PaaS服务,而无需消费者购买单独的许可证和支持。平台服务的示例包括但不限于Oracle Java云服务(JCS)、Oracle数据库云服务(DBCS)以及其它。In some embodiments, platform services may be provided by cloud infrastructure system 1102 via a PaaS platform. A PaaS platform can be configured to provide cloud services belonging to the category of PaaS. Examples of platform services may include, but are not limited to, services that enable organizations, such as Oracle, to integrate existing applications on a shared common architecture, as well as the ability to build new applications using shared services provided by the platform. The PaaS platform can manage and control the underlying software and infrastructure used to provide PaaS services. Consumers can acquire the PaaS services provided by cloud infrastructure system 1102 without requiring consumers to purchase separate licenses and support. Examples of platform services include, but are not limited to, Oracle Java Cloud Service (JCS), Oracle Database Cloud Service (DBCS), and others.
通过利用由PaaS平台提供的服务,消费者可以采用由云基础设施系统支持的编程语言和工具,并且还控制所部署的服务。在一些实施例中,由云基础设施系统提供的平台服务可以包括数据库云服务、中间件云服务(例如,Oracle Fusion Middleware服务)和Java云服务。在一个实施例中,数据库云服务可以支持共享服务部署模型,其使得组织能够汇集数据库资源并且以数据库云的形式向消费者提供数据库即服务。中间件云服务可以为消费者提供开发和部署各种业务应用的平台,以及Java云服务可以在云基础设施系统中为消费者提供部署Java应用的平台。By utilizing the services provided by the PaaS platform, consumers can adopt programming languages and tools supported by the cloud infrastructure system and also control the deployed services. In some embodiments, platform services provided by the cloud infrastructure system may include database cloud services, middleware cloud services (eg, Oracle Fusion Middleware services), and Java cloud services. In one embodiment, the database cloud service may support a shared service deployment model that enables organizations to pool database resources and provide database-as-a-service to consumers in the form of a database cloud. The middleware cloud service can provide consumers with a platform for developing and deploying various business applications, and the Java cloud service can provide consumers with a platform for deploying Java applications in the cloud infrastructure system.
可以由云基础设施系统中的IaaS平台提供各种不同的基础设施服务。基础设施服务促进底层计算资源(诸如存储装置、网络和其它基本计算资源)的管理和控制,以便消费者利用由SaaS平台和PaaS平台提供的服务。Various infrastructure services can be provided by the IaaS platform in the cloud infrastructure system. Infrastructure services facilitate the management and control of underlying computing resources, such as storage, network, and other basic computing resources, for consumers to utilize the services provided by the SaaS platform and the PaaS platform.
在某些实施例中,云基础设施系统1102还可以包括基础设施资源1130,用于提供用来向云基础设施系统的消费者提供各种服务的资源。在一个实施例中,基础设施资源1130可以包括执行由PaaS平台和SaaS平台提供的服务的硬件(诸如服务器、存储装置和联网资源)的预先集成和优化的组合,以及其它资源。In some embodiments, the cloud infrastructure system 1102 may also include infrastructure resources 1130 for providing resources for providing various services to consumers of the cloud infrastructure system. In one embodiment, infrastructure resources 1130 may include a pre-integrated and optimized combination of hardware, such as servers, storage, and networking resources, among other resources, to execute the services provided by the PaaS platform and the SaaS platform.
在一些实施例中,云基础设施系统1102中的资源可以由多个用户共享并且按需动态地重新分配。此外,资源可以分配给在不同时区中的用户。例如,云基础设施系统1102可以使第一时区内的第一用户集合能够利用云基础设施系统的资源指定的小时数,然后使得能够将相同资源重新分配给位于不同时区中的另一用户集合,从而最大化资源的利用率。In some embodiments, resources in cloud infrastructure system 1102 can be shared by multiple users and dynamically reallocated as needed. Additionally, resources can be assigned to users in different time zones. For example, the cloud infrastructure system 1102 may enable a first set of users in a first time zone to utilize resources of the cloud infrastructure system for a specified number of hours, and then enable reallocation of the same resources to another set of users located in a different time zone, Thereby maximizing resource utilization.
在某些实施例中,可以提供由云基础设施系统1102的不同部件或模块共享,以使得能够由云基础设施系统1102供应服务的多个内部共享服务1132。这些内部共享服务可以包括,但不限于,安全和身份服务、集成服务、企业储存库服务、企业管理器服务、病毒扫描和白名单服务、高可用性、备份和恢复服务、用于启用云支持的服务、电子邮件服务、通知服务、文件传输服务等。In some embodiments, a plurality of internal shared services 1132 that are shared by different components or modules of the cloud infrastructure system 1102 to enable provisioning of services by the cloud infrastructure system 1102 may be provided. These internal shared services may include, but are not limited to, Security and Identity Services, Integration Services, Enterprise Repository Services, Enterprise Manager Services, Virus Scanning and Whitelisting Services, High Availability, Backup and Recovery Services, service, email service, notification service, file transfer service, etc.
在某些实施例中,云基础设施系统1102可以在云基础设施系统中提供云服务(例如,SaaS、PaaS和IaaS服务)的综合管理。在一个实施例中,云管理功能可以包括用于供应、管理和跟踪由云基础设施系统1102等接收到的消费者的订阅的能力。In some embodiments, the cloud infrastructure system 1102 can provide comprehensive management of cloud services (eg, SaaS, PaaS, and IaaS services) in the cloud infrastructure system. In one embodiment, the cloud management functionality may include capabilities for provisioning, managing, and tracking subscriptions of consumers received by the cloud infrastructure system 1102 or the like.
在一个实施例中,如图11中所绘出的,云管理功能可以由诸如订单管理模块1120、订单编排模块1122、订单供应模块1124、订单管理和监视模块1126以及身份管理模块1128的一个或多个模块提供。这些模块可以包括或可以利用一个或多个计算机和/或服务器提供,该一个或多个计算机和/或服务器可以是通用计算机、专用服务器计算机、服务器场,服务器集群或任何其它适当的布置和/或组合。In one embodiment, as depicted in FIG. 11 , cloud management functionality may be implemented by one or more of an order management module 1120, an order orchestration module 1122, an order provisioning module 1124, an order management and monitoring module 1126, and an identity management module 1128. Several modules are provided. These modules may comprise or be provided using one or more computers and/or servers, which may be general purpose computers, dedicated server computers, server farms, server clusters or any other suitable arrangement and/or or a combination.
在示例性操作中,在1134,使用客户端设备(诸如客户端计算设备1104、1106或1108)的消费者可以通过请求由云基础设施系统1102提供的一个或多个服务并且对由云基础设施系统1102提供的一个或多个服务的订阅下订单来与云基础设施系统1102交互。在某些实施例中,消费者可以访问诸如云UI 1112、云UI 1114和/或云UI1116的云用户界面(UI)并经由这些UI下订阅订单。响应于消费者下订单而由云基础设施系统1102接收到的订单信息可以包括识别消费者和消费者打算订阅的由云基础设施系统1102提供的一个或多个服务的信息。In an exemplary operation, at 1134, a consumer using a client device (such as client computing device 1104, 1106, or 1108) may request one or more services provided by cloud infrastructure system 1102 and request the services provided by cloud infrastructure system 1102. A subscription to one or more services provided by system 1102 places an order to interact with cloud infrastructure system 1102 . In some embodiments, a customer may access a cloud user interface (UI) such as cloud UI 1112, cloud UI 1114, and/or cloud UI 1116 and place a subscription order via these UIs. Order information received by cloud infrastructure system 1102 in response to a customer placing an order may include information identifying the customer and one or more services provided by cloud infrastructure system 1102 to which the customer intends to subscribe.
在步骤1136处,从消费者接收到的订单信息可以存储在订单数据库1118中。如果这是新的订单,则可以为该订单创建新的记录。在一个实施例中,订单数据库1118可以是由云基础设施系统1118操作以及与其它系统元素结合操作的若干数据库当中的一个。At step 1136 , the order information received from the customer may be stored in the order database 1118 . If this is a new order, a new record can be created for the order. In one embodiment, order database 1118 may be one of several databases operated by cloud infrastructure system 1118 as well as in conjunction with other system elements.
在步骤1138处,订单信息可以被转发到订单管理模块1120,订单管理模块1120可以被配置为执行与订单相关的计费和记帐功能,诸如检验订单,并且在通过检验之后,预订订单。At step 1138, the order information may be forwarded to the order management module 1120, which may be configured to perform billing and billing functions related to the order, such as verifying the order and, after passing the verification, booking the order.
在步骤1140处,关于订单的信息可以被传送到订单编排模块1122,订单编排模块1122被配置为编排用于由消费者下的订单的服务和资源的供应。在一些情况下,订单编排模块1122可以使用订单供应模块1124的服务用于供应。在某些实施例中,订单编排模块1122使得能够管理与每个订单相关联的业务过程,并且应用业务逻辑来确定订单是否应当继续供应。At step 1140, information about the order may be communicated to the order orchestration module 1122, which is configured to orchestrate the provision of services and resources for the order placed by the customer. In some cases, order orchestration module 1122 may use the services of order provisioning module 1124 for provisioning. In certain embodiments, the order orchestration module 1122 enables management of the business process associated with each order and applies business logic to determine whether the order should continue to be filled.
如图11中绘出的实施例所示,在1142处,在接收到新订阅的订单时,订单编排模块1122向订单供应模块1124发送分配资源和配置履行订购订单所需的资源的请求。订单供应模块1124使得能够为由消费者订购的服务分配资源。订单供应模块1124提供由云基础设施系统1100提供的云服务和用来供应用于提供所请求的服务的资源的物理实现层之间的抽象级别。这使得订单编排模块1122能够与实现细节隔离,诸如服务和资源是否实际上实时供应,或者预先供应并且仅在请求时才进行分配/指定。As shown in the embodiment depicted in FIG. 11 , at 1142 , upon receiving an order for a new subscription, the order orchestration module 1122 sends a request to the order provisioning module 1124 to allocate resources and configure resources needed to fulfill the subscription order. The order provisioning module 1124 enables the allocation of resources for services ordered by consumers. The order provisioning module 1124 provides a level of abstraction between the cloud services provided by the cloud infrastructure system 1100 and the physical implementation layers used to provision the resources used to provide the requested services. This enables the order orchestration module 1122 to be isolated from implementation details, such as whether services and resources are actually provisioned in real-time, or pre-provisioned and allocated/specified only on request.
在步骤1144处,一旦供应了服务和资源,就可以向订阅的消费者发送指示所请求的服务现在已准备好用于使用的通知。在一些情况下,可以向消费者发送使得消费者能够开始使用所请求的服务的信息(例如,链接)。At step 1144, once the service and resources are provisioned, a notification may be sent to subscribed consumers indicating that the requested service is now ready for consumption. In some cases, the consumer may be sent information (eg, a link) that enables the consumer to begin using the requested service.
在步骤1146处,可以由订单管理和监视模块1126来管理和跟踪消费者的订阅订单。在一些情况下,订单管理和监视模块1126可以被配置为收集关于消费者使用所订阅的服务的使用统计。例如,可以针对所使用的存储量、所传送的数据量、用户的数量以及系统启动时间和系统停机时间的量等来收集统计数据。At step 1146, the customer's subscription order may be managed and tracked by the order management and monitoring module 1126. In some cases, order management and monitoring module 1126 may be configured to collect usage statistics regarding the consumer's use of the subscribed service. For example, statistics may be collected for the amount of storage used, the amount of data transferred, the number of users, and the amount of system startup time and system downtime, among others.
在某些实施例中,云基础设施系统1100可以包括身份管理模块1128,其被配置为提供身份服务,诸如云基础设施系统1100中的访问管理和授权服务。在一些实施例中,身份管理模块1128可以控制关于希望利用由云基础设施系统1102提供的服务的消费者的信息。这种信息可以包括认证这些消费者的身份的信息和描述那些消费者被授权相对于各种系统资源(例如,文件、目录、应用、通信端口、存储器段等)执行的动作的信息。身份管理模块1128还可以包括关于每个消费者的描述性信息以及关于如何和由谁来访问和修改描述性信息的管理。In some embodiments, cloud infrastructure system 1100 may include an identity management module 1128 configured to provide identity services, such as access management and authorization services in cloud infrastructure system 1100 . In some embodiments, the identity management module 1128 may control information about consumers wishing to utilize services provided by the cloud infrastructure system 1102 . Such information may include information authenticating the identities of these consumers and information describing the actions those consumers are authorized to perform with respect to various system resources (eg, files, directories, applications, communication ports, memory segments, etc.). The identity management module 1128 may also include management of descriptive information about each customer and how and by whom to access and modify the descriptive information.
图12图示了可以被用来实现本公开的实施例的示例性计算机系统1200。在一些实施例中,计算机系统1200可以被用来实现上述任何各种服务器和计算机系统。如图12所示,计算机系统1200包括各种子系统,包括经由总线子系统1202与多个外围子系统通信的处理单元1204。这些外围子系统可以包括处理加速单元1206、I/O子系统1208、存储子系统1218和通信子系统1224。存储子系统1218可以包括有形的计算机可读存储介质1222和系统存储器1210。FIG. 12 illustrates an exemplary computer system 1200 that may be used to implement embodiments of the present disclosure. In some embodiments, computer system 1200 may be used to implement any of the various servers and computer systems described above. As shown in FIG. 12 , computer system 1200 includes various subsystems, including a processing unit 1204 that communicates with a number of peripheral subsystems via a bus subsystem 1202 . These peripheral subsystems may include processing acceleration unit 1206 , I/O subsystem 1208 , storage subsystem 1218 , and communication subsystem 1224 . Storage subsystem 1218 may include tangible computer readable storage media 1222 and system memory 1210 .
总线子系统1202提供用于使计算机系统1200的各种部件和子系统按照期望彼此通信的机制。虽然总线子系统1202被示意性地示为单条总线,但是总线子系统的可替代实施例可以利用多条总线。总线子系统1202可以是若干种类型的总线结构中的任何一种,包括存储器总线或存储器控制器、外围总线和利用任何各种总线体系架构的局部总线。例如,此类体系架构可以包括工业标准体系架构(ISA)总线、微通道体系架构(MCA)总线、增强型ISA(EISA)总线、视频电子标准协会(VESA)局部总线和外围部件互连(PCI)总线,其可以实现为根据IEEE P1386.1标准制造的夹层(Mezzanine)总线,等等。Bus subsystem 1202 provides a mechanism for the various components and subsystems of computer system 1200 to communicate with each other as desired. Although bus subsystem 1202 is shown schematically as a single bus, alternative embodiments of the bus subsystem may utilize multiple buses. Bus subsystem 1202 may be any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, and a local bus utilizing any of a variety of bus architectures. For example, such architectures may include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI ) bus, which can be realized as a Mezzanine bus manufactured according to the IEEE P1386.1 standard, and the like.
处理子系统1204控制计算机系统1200的操作并且可以包括一个或多个处理单元1232、1234等。处理单元可以包括一个或多个处理器,其中包括单核或多核处理器、处理器的一个或多个核、或其组合。在一些实施例中,处理子系统1204可以包括一个或多个专用协处理器,诸如图形处理器、数字信号处理器(DSP)等。在一些实施例中,处理子系统1204的处理单元中的一些或全部可以利用定制电路来实现,诸如专用集成电路(ASIC)或现场可编程门阵列(FPGA)。The processing subsystem 1204 controls the operation of the computer system 1200 and may include one or more processing units 1232, 1234, and the like. A processing unit may include one or more processors, including single or multi-core processors, one or more cores of a processor, or combinations thereof. In some embodiments, processing subsystem 1204 may include one or more special purpose coprocessors, such as graphics processors, digital signal processors (DSPs), and the like. In some embodiments, some or all of the processing elements of processing subsystem 1204 may be implemented using custom circuitry, such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA).
在一些实施例中,处理子系统1204中的处理单元可以执行存储在系统存储器1210中或计算机可读存储介质1222上的指令。在各种实施例中,处理单元可以执行各种程序或代码指令,并且可以维护多个并发执行的程序或进程。在任何给定的时间,要执行的程序代码中的一些或全部可以驻留在系统存储器1210中和/或计算机可读存储介质1222上,潜在地包括在一个或多个存储设备上。通过适当的编程,处理子系统1204可以提供各种功能。In some embodiments, processing units in processing subsystem 1204 may execute instructions stored in system memory 1210 or on computer-readable storage media 1222 . In various embodiments, a processing unit may execute various programs or code instructions, and may maintain multiple concurrently executing programs or processes. At any given time, some or all of the program code being executed may reside in system memory 1210 and/or on computer readable storage media 1222 , potentially included on one or more storage devices. Through appropriate programming, processing subsystem 1204 can provide various functions.
在某些实施例中,可以提供处理加速单元1206,用于执行定制的处理或用于卸载由处理子系统1204执行的一些处理,以便加速由计算机系统1200执行的整体处理。In some embodiments, a processing acceleration unit 1206 may be provided for performing customized processing or for offloading some processing performed by the processing subsystem 1204 in order to speed up the overall processing performed by the computer system 1200 .
I/O子系统1208可以包括用于向计算机系统1200输入信息和/或用于从或经由计算机系统1200输出信息的设备和机制。一般而言,术语“输入设备”的使用旨在包括用于向计算机系统1200输入信息的所有可能类型的设备和机制。用户接口输入设备可以包括,例如,键盘、诸如鼠标或轨迹球的指示设备、结合到显示器中的触摸板或触摸屏、滚轮、点拨轮、拨盘、按钮、开关、键板、具有语音命令识别系统的音频输入设备、麦克风以及其它类型的输入设备。用户接口输入设备也可以包括使用户能够控制输入设备并与其交互的诸如Microsoft运动传感器的运动感测和/或姿势识别设备、Microsoft360游戏控制器、提供用于接收利用姿势和口语命令的输入的接口的设备。用户接口输入设备也可以包括眼睛姿势识别设备,诸如从用户检测眼睛活动(例如,当拍摄图片和/或进行菜单选择时的“眨眼”)并将眼睛姿势转换为到输入设备(例如,Google)中的输入的Google眨眼检测器。此外,用户接口输入设备可以包括使用户能够通过语音命令与语音识别系统(例如,导航器)交互的语音识别感测设备。I/O subsystem 1208 may include devices and mechanisms for inputting information into computer system 1200 and/or for outputting information from or via computer system 1200 . In general, use of the term "input device" is intended to include all possible types of devices and mechanisms for inputting information into computer system 1200 . User interface input devices may include, for example, keyboards, pointing devices such as mice or trackballs, touchpads or touchscreens incorporated into displays, scroll wheels, clickwheels, dials, buttons, switches, keypads, systems with voice command recognition audio input devices, microphones, and other types of input devices. User interface input devices may also include software such as Microsoft Motion Sensing and/or Gesture Recognition Devices with Motion Sensors, Microsoft 360 game controller, a device that provides an interface for receiving input using gestures and spoken commands. User interface input devices may also include eye gesture recognition devices, such as detecting eye movement from the user (e.g., "blinking" when taking a picture and/or making a menu selection) and translating eye gestures to the input device (e.g., Google ) in the input Google Blink detector. Additionally, the user interface input device may include a device that enables the user to interact with a voice recognition system (e.g., navigator) interactive voice recognition sensing device.
用户接口输入设备的其它示例包括但不限于,三维(3D)鼠标、操纵杆或指示杆、游戏板和图形平板、以及音频/视频设备,诸如扬声器、数字相机、数字摄像机、便携式媒体播放器、网络摄像机、图像扫描仪、指纹扫描仪、条形码读取器3D扫描仪、3D打印机、激光测距仪、以及眼睛注视跟踪设备。此外,用户接口输入设备可以包括,例如,医疗成像输入设备,诸如计算机断层摄影、磁共振成像、位置发射断层摄影、医疗超声检查设备。用户接口输入设备也可以包括,例如,音频输入设备,诸如MIDI键盘、数字乐器等。Other examples of user interface input devices include, but are not limited to, three-dimensional (3D) mice, joysticks or pointing sticks, game pads and graphics tablets, and audio/video devices such as speakers, digital cameras, digital video cameras, portable media players, Web cameras, image scanners, fingerprint scanners, barcode readers, 3D scanners, 3D printers, laser range finders, and eye gaze tracking devices. Additionally, user interface input devices may include, for example, medical imaging input devices such as computed tomography, magnetic resonance imaging, position emission tomography, medical ultrasonography equipment. User interface input devices may also include, for example, audio input devices such as MIDI keyboards, digital musical instruments, and the like.
用户接口输出设备可以包括显示子系统、指示器灯或诸如音频输出设备的非可视显示器等。显示子系统可以是阴极射线管(CRT)、诸如利用液晶显示器(LCD)或等离子体显示器的平板设备、投影设备、触摸屏等。一般而言,术语“输出设备”的使用旨在包括用于从计算机系统1200向用户或其它计算机输出信息的所有可能类型的设备和机制。例如,用户接口输出设备可以包括但不限于,可视地传达文本、图形和音频/视频信息的各种显示设备,诸如监视器、打印机、扬声器、耳机、汽车导航系统、绘图仪、语音输出设备和调制解调器。User interface output devices may include display subsystems, indicator lights, or non-visual displays such as audio output devices, among others. The display subsystem may be a cathode ray tube (CRT), a tablet device such as utilizing a liquid crystal display (LCD) or a plasma display, a projection device, a touch screen, or the like. In general, use of the term "output device" is intended to include all possible types of devices and mechanisms for outputting information from computer system 1200 to a user or other computer. For example, user interface output devices may include, but are not limited to, various display devices that visually convey textual, graphical, and audio/visual information, such as monitors, printers, speakers, headphones, car navigation systems, plotters, voice output devices and modem.
存储子系统1218提供用于存储由计算机系统1200使用的信息的储存库或数据存储。存储子系统1218提供有形非瞬态计算机可读存储介质,用于存储提供一些实施例的功能的基本编程和数据结构。当由处理子系统1204执行时提供上述功能的软件(程序、代码模块、指令)可以存储在存储子系统1218中。软件可以由处理子系统1204的一个或多个处理单元执行。存储子系统1218也可以提供用于存储根据本发明使用的数据的储存库。Storage subsystem 1218 provides a repository or data storage for storing information used by computer system 1200 . Storage subsystem 1218 provides tangible, non-transitory computer-readable storage media for storing the basic programming and data structures that provide the functionality of some embodiments. Software (programs, code modules, instructions) that, when executed by the processing subsystem 1204 , provide the functionality described above may be stored in the storage subsystem 1218 . Software may be executed by one or more processing units of processing subsystem 1204 . Storage subsystem 1218 may also provide a repository for storing data used in accordance with the present invention.
存储子系统1218可以包括一个或多个非瞬态存储器设备,包括易失性和非易失性存储器设备。如图12所示,存储子系统1218包括系统存储器1210和计算机可读存储介质1222。系统存储器1210可以包括多个存储器,包括用于在程序执行期间存储指令和数据的易失性主随机存取存储器(RAM)和其中存储固定指令的非易失性只读存储器(ROM)或闪存存储器。在一些实现中,包含帮助在诸如启动期间在计算机系统1200内的元件之间传送信息的基本例程的基本输入/输出系统(BIOS)通常可以存储在ROM中。RAM通常包含当前由处理子系统1204操作和执行的数据和/或程序模块。在一些实现中,系统存储器1210可以包括多个不同类型的存储器,诸如静态随机存取存储器(SRAM)或动态随机存取存储器(DRAM)。Storage subsystem 1218 may include one or more non-transitory memory devices, including volatile and nonvolatile memory devices. As shown in FIG. 12 , storage subsystem 1218 includes system memory 1210 and computer readable storage media 1222 . System memory 1210 may include multiple memories, including volatile main random access memory (RAM) for storing instructions and data during program execution and nonvolatile read only memory (ROM) or flash memory in which fixed instructions are stored memory. In some implementations, a basic input/output system (BIOS), containing the basic routines that assist in transferring information between elements within computer system 1200, such as during start-up, may be typically stored in ROM. RAM typically contains data and/or program modules currently operating and executing by processing subsystem 1204 . In some implementations, system memory 1210 may include multiple different types of memory, such as static random access memory (SRAM) or dynamic random access memory (DRAM).
作为示例而非限制,如在图12中所绘出的,系统存储器1210可以存储应用程序1212,其可以包括客户端应用、Web浏览器、中间层应用、关系数据库管理系统(RDBMS)等、程序数据1214和操作系统1216。作为示例,操作系统1216可以包括各种版本的MicrosoftApple和/或Linux操作系统、各种商用或类UNIX操作系统(包括但不限于各种GNU/Linux操作系统、GoogleOS等)和/或诸如iOS、Phone、OS、8OS和OS操作系统的移动操作系统。By way of example and not limitation, as depicted in FIG. 12, system memory 1210 may store application programs 1212, which may include client applications, web browsers, middle-tier applications, relational database management systems (RDBMS), etc., program Data 1214 and Operating System 1216. As an example, operating system 1216 may include various versions of Microsoft Apple and/or Linux operating system, various commercial or UNIX-like operating systems (including but not limited to various GNU/Linux operating systems, Google OS, etc.) and/or such as iOS, Phone, OS, 8OS and OS operating system mobile operating system.
计算机可读存储介质1222可以存储提供一些实施例的功能的编程和数据结构。当由处理子系统1204执行时使处理器提供上述功能的软件(程序、代码模块、指令)可以存储在存储子系统1218中。作为示例,计算机可读存储介质1222可以包括非易失性存储器,诸如硬盘驱动器、磁盘驱动器、诸如CD ROM、DVD、(蓝光)盘或其它光学介质的光盘驱动器。计算机可读存储介质1222可以包括但不限于,驱动器、闪存存储器卡、通用串行总线(USB)闪存驱动器、安全数字(SD)卡、DVD盘、数字视频带等。计算机可读存储介质1222也可以包括基于非易失性存储器的固态驱动器(SSD)(诸如基于闪存存储器的SSD、企业闪存驱动器、固态ROM等)、基于易失性存储器的SSD(诸如基于固态RAM、动态RAM、静态RAM、DRAM的SSD、磁阻RAM(MRAM)SSD),以及使用基于DRAM和基于闪存存储器的SSD的组合的混合SSD。计算机可读介质1222可以为计算机系统1200提供计算机可读指令、数据结构、程序模块和其它数据的存储。Computer-readable storage media 1222 may store programming and data structures that provide the functionality of some embodiments. Software (programs, code modules, instructions) that when executed by the processing subsystem 1204 cause the processor to provide the functions described above may be stored in the storage subsystem 1218 . By way of example, computer-readable storage media 1222 may include non-volatile memory such as a hard drive, a magnetic disk drive, such as a CD ROM, DVD, (Blu-ray) disc or other optical media. Computer readable storage media 1222 may include, but is not limited to, drives, flash memory cards, universal serial bus (USB) flash drives, secure digital (SD) cards, DVD disks, digital video cassettes, etc. Computer-readable storage media 1222 may also include non-volatile memory-based solid-state drives (SSDs) such as flash memory-based SSDs, enterprise flash drives, solid-state ROM, etc., volatile memory-based SSDs such as solid-state RAM-based , dynamic RAM, static RAM, DRAM-based SSDs, magnetoresistive RAM (MRAM) SSDs), and hybrid SSDs that use a combination of DRAM-based and flash memory-based SSDs. The computer-readable medium 1222 may provide storage of computer-readable instructions, data structures, program modules and other data for the computer system 1200 .
在某些实施例中,存储子系统1200也可以包括计算机可读存储介质读取器1220,其可以进一步连接到计算机可读存储介质1222。可选地,与系统存储器1210一起和组合,计算机可读存储介质1222可以全面地表示远程、本地、固定和/或可移动存储设备加上用于存储计算机可读信息的存储介质。In some embodiments, the storage subsystem 1200 may also include a computer-readable storage medium reader 1220 , which may be further connected to a computer-readable storage medium 1222 . Optionally, together and in combination with system memory 1210 , computer readable storage media 1222 can collectively represent remote, local, fixed and/or removable storage devices plus storage media for storing computer readable information.
在某些实施例中,计算机系统1200可以提供对执行一个或多个虚拟机的支持。计算机系统1200可以执行诸如管理程序的程序,以便促进虚拟机的配置和管理。每个虚拟机可以被分配存储器、计算(例如,处理器、内核)、I/O和联网资源。每个虚拟机通常运行其自己的操作系统,其可以与由计算机系统1200执行的其它虚拟机执行的操作系统相同或不同。相应地,多个操作系统可以潜在地由计算机系统1200并发地运行。每个虚拟机一般独立于其它虚拟机运行。In some embodiments, computer system 1200 may provide support for executing one or more virtual machines. Computer system 1200 may execute programs, such as a hypervisor, to facilitate configuration and management of virtual machines. Each virtual machine can be allocated memory, compute (eg, processors, cores), I/O, and networking resources. Each virtual machine typically runs its own operating system, which may or may not be the same as the operating systems executed by other virtual machines executed by computer system 1200 . Accordingly, multiple operating systems can potentially be run concurrently by computer system 1200 . Each virtual machine generally runs independently of the other virtual machines.
通信子系统1224提供到其它计算机系统和网络的接口。通信子系统1224用作用于从计算机系统1200的其它系统接收数据和向其发送数据的接口。例如,通信子系统1224可以使计算机系统1200能够经由互联网建立到一个或多个客户端计算设备的通信信道,用于从客户端计算设备接收信息和发送信息到客户端计算设备。Communication subsystem 1224 provides an interface to other computer systems and networks. Communication subsystem 1224 serves as an interface for receiving data from, and sending data to, other systems of computer system 1200 . For example, communication subsystem 1224 may enable computer system 1200 to establish communication channels via the Internet to one or more client computing devices for receiving information from and sending information to the client computing devices.
通信子系统1224可以支持有线和/或无线通信协议两者。例如,在某些实施例中,通信子系统1224可以包括用于(例如,使用蜂窝电话技术、高级数据网络技术(诸如3G、4G或EDGE(全球演进的增强数据速率)、WiFi(IEEE 802.11族标准)、或其它移动通信技术、或其任意组合)接入无线语音和/或数据网络的射频(RF)收发器部件、全球定位系统(GPS)接收器部件和/或其它部件。在一些实施例中,作为无线接口的附加或替代,通信子系统1224可以提供有线网络连接(例如,以太网)。Communication subsystem 1224 may support both wired and/or wireless communication protocols. For example, in some embodiments, the communications subsystem 1224 may include devices for (eg, using cellular telephony technology, advanced data network technologies such as 3G, 4G, or EDGE (Enhanced Data Rates for Global Evolution), WiFi (IEEE 802.11 family standard), or other mobile communication technologies, or any combination thereof) to access radio frequency (RF) transceiver components, global positioning system (GPS) receiver components, and/or other components of wireless voice and/or data networks. In some implementations For example, communications subsystem 1224 may provide a wired network connection (eg, Ethernet) in addition to or instead of a wireless interface.
通信子系统1224可以以各种形式接收和发送数据。例如,在一些实施例中,通信子系统1224可以以结构化和/或非结构化的数据馈送1226、事件流1228、事件更新1230等形式接收输入通信。例如,通信子系统1224可以被配置为实时地从社交媒体网络的用户和/或诸如馈送、更新、诸如丰富站点摘要(RSS)馈送的web馈送的其它通信服务接收(或发送)数据馈送1226,和/或来自一个或多个第三方信息源的实时更新。Communication subsystem 1224 can receive and transmit data in various forms. For example, in some embodiments, communications subsystem 1224 may receive incoming communications in the form of structured and/or unstructured data feeds 1226, event streams 1228, event updates 1230, and the like. For example, the communication subsystem 1224 may be configured to receive real-time information from users of social media networks and/or such as feed, Updates, other communication services such as web feeds of Rich Site Summary (RSS) feeds receive (or send) data feeds 1226, and/or real-time updates from one or more third-party information sources.
在某些实施例中,通信子系统1224可以被配置为以连续数据流的形式接收本质上可能是连续的或无界的没有明确结束的数据,其中连续数据流可以包括实时事件的事件流1228和/或事件更新1230。生成连续数据的应用的示例可以包括例如传感器数据应用、金融报价机、网络性能测量工具(例如网络监视和流量管理应用)、点击流分析工具、汽车流量监视等。In some embodiments, the communications subsystem 1224 may be configured to receive data that may be continuous or unbounded in nature with no clear end in the form of a continuous data stream, where the continuous data stream may include the event stream 1228 of real-time events and /or event update 1230. Examples of applications that generate continuous data may include, for example, sensor data applications, financial tickers, network performance measurement tools (eg, network monitoring and traffic management applications), clickstream analysis tools, automotive traffic monitoring, and the like.
通信子系统1224也可以被配置为向一个或多个数据库输出结构化和/或非结构化的数据馈送1226、事件流1228、事件更新1230等,其中所述一个或多个数据库可以与耦合到计算机系统1200的一个或多个流数据源计算机通信。Communication subsystem 1224 may also be configured to output structured and/or unstructured data feeds 1226, event streams 1228, event updates 1230, etc. to one or more databases, which may be coupled to The computer system 1200 communicates with one or more streaming data source computers.
计算机系统1200可以是各种类型中的一种,包括手持便携式设备(例如,蜂窝电话、计算平板、PDA)、可穿戴设备(例如,Google头戴式显示器)、个人计算机、工作站、大型机、信息站、服务器机架或任何其它数据处理系统。Computer system 1200 can be one of various types, including a hand-held portable device (e.g., cell phone, Computing tablets, PDAs), wearables (e.g., Google head-mounted display), personal computer, workstation, mainframe, kiosk, server rack, or any other data processing system.
由于计算机和网络不断变化的性质,对图12中绘出的计算机系统1200的描述旨在仅仅作为具体示例。具有比图12中所绘出的系统更多或更少部件的许多其它配置是可能的。基于本文所提供的公开内容和教导,本领域普通技术人员将理解实现各种实施例的其它方式和/或方法。Due to the ever-changing nature of computers and networks, the description of computer system 1200 depicted in FIG. 12 is intended to be a specific example only. Many other configurations are possible with more or fewer components than the system depicted in FIG. 12 . Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will appreciate other ways and/or methods of implementing the various embodiments.
虽然已经描述了本发明的具体实施例,但是各种修改、更改、替代构造和等效物也包含在本发明的范围之内。修改包括所公开的特征的任何相关组合。本发明的实施例不限于在某些特定数据处理环境内的操作,而是可以在多个数据处理环境内自由操作。此外,虽然已利用特定系列的事务和步骤描述了本发明的实施例,但是,对本领域技术人员应当显而易见,本发明的范围不限于所描述系列的事务和步骤。上述实施例的各种特征和方面可以被单独或结合使用。While specific embodiments of the invention have been described, various modifications, changes, alternative constructions and equivalents are intended to be encompassed within the scope of the invention. Modifications include any relevant combination of disclosed features. Embodiments of the present invention are not limited to operation within some particular data processing environment, but are free to operate within a plurality of data processing environments. Furthermore, although embodiments of the invention have been described using a particular series of transactions and steps, it should be apparent to those skilled in the art that the scope of the invention is not limited to the described series of transactions and steps. The various features and aspects of the above-described embodiments can be used alone or in combination.
另外,虽然已经利用硬件和软件的特定组合描述了本发明的实施例,但是应当认识到,硬件和软件的其它组合也在本发明的范围之内。本发明的实施例可以只用硬件、或只用软件、或利用其组合来实现。本文描述的各种过程可以在同一处理器或以任何组合的不同处理器上实现。相应地,在部件或模块被描述为被配置为执行某些操作的情况下,这种配置可以例如通过设计电子电路来执行操作、通过对可编程电子电路(诸如微处理器)进行编程来执行操作、或其任意组合来实现。进程可以利用各种技术来通信,包括但不限于用于进程间通信的常规技术,并且不同的进程对可以使用不同的技术,或者同一对进程可以在不同时间使用不同的技术。Additionally, while embodiments of the invention have been described using specific combinations of hardware and software, it should be recognized that other combinations of hardware and software are within the scope of the invention. Embodiments of the present invention can be implemented using only hardware, or only software, or a combination thereof. The various processes described herein can be implemented on the same processor or on different processors in any combination. Accordingly, where a component or module is described as being configured to perform certain operations, such configuration may be performed, for example, by designing an electronic circuit to perform the operation, by programming a programmable electronic circuit such as a microprocessor operations, or any combination thereof. Processes may communicate using a variety of techniques, including but not limited to conventional techniques for inter-process communication, and different pairs of processes may use different techniques, or the same pair of processes may use different techniques at different times.
相应地,说明书和附图应当在说明性而不是限制性的意义上考虑。但是,将显而易见的是,在不背离权利要求中阐述的更广泛精神和范围的情况下,可以对其进行添加、减少、删除和其它修改和改变。因此,虽然已描述了具体发明实施例,但是这些实施例不旨在进行限制。各种修改和等效物都在以下权利要求的范围之内。Accordingly, the specification and drawings are to be considered in an illustrative rather than a restrictive sense. It will, however, be evident that additions, subtractions, deletions and other modifications and changes may be made thereto without departing from the broader spirit and scope as set forth in the claims. Thus, while specific inventive embodiments have been described, these embodiments are not intended to be limiting. Various modifications and equivalents are within the scope of the following claims.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210366031.3ACN114726621B (en) | 2015-10-22 | 2016-03-31 | Method and system for end user initiated access server authenticity checking |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US14/920,807 | 2015-10-22 | ||
| US14/920,807US10164971B2 (en) | 2015-10-22 | 2015-10-22 | End user initiated access server authenticity check |
| PCT/US2016/025402WO2017069800A1 (en) | 2015-10-22 | 2016-03-31 | End user initiated access server authenticity check |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210366031.3ADivisionCN114726621B (en) | 2015-10-22 | 2016-03-31 | Method and system for end user initiated access server authenticity checking |
| Publication Number | Publication Date |
|---|---|
| CN108351933Atrue CN108351933A (en) | 2018-07-31 |
| CN108351933B CN108351933B (en) | 2022-04-22 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210366031.3AActiveCN114726621B (en) | 2015-10-22 | 2016-03-31 | Method and system for end user initiated access server authenticity checking |
| CN201680061463.6AActiveCN108351933B (en) | 2015-10-22 | 2016-03-31 | Method and system for end-user initiated access server plausibility check |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210366031.3AActiveCN114726621B (en) | 2015-10-22 | 2016-03-31 | Method and system for end user initiated access server authenticity checking |
| Country | Link |
|---|---|
| US (2) | US10164971B2 (en) |
| EP (1) | EP3365827B1 (en) |
| JP (1) | JP6707127B2 (en) |
| CN (2) | CN114726621B (en) |
| WO (1) | WO2017069800A1 (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112242015A (en)* | 2019-07-19 | 2021-01-19 | 开利公司 | Method and system for accessing a system |
| CN112433985A (en)* | 2019-08-26 | 2021-03-02 | 国际商业机器公司 | Controlling the composition of information submitted to a computing system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10250594B2 (en) | 2015-03-27 | 2019-04-02 | Oracle International Corporation | Declarative techniques for transaction-specific authentication |
| US10387980B1 (en)* | 2015-06-05 | 2019-08-20 | Acceptto Corporation | Method and system for consumer based access control for identity information |
| US10225283B2 (en) | 2015-10-22 | 2019-03-05 | Oracle International Corporation | Protection against end user account locking denial of service (DOS) |
| US10257205B2 (en) | 2015-10-22 | 2019-04-09 | Oracle International Corporation | Techniques for authentication level step-down |
| US10164971B2 (en) | 2015-10-22 | 2018-12-25 | Oracle International Corporation | End user initiated access server authenticity check |
| WO2017070412A1 (en) | 2015-10-23 | 2017-04-27 | Oracle International Corporation | Password-less authentication for access management |
| US10303865B2 (en)* | 2016-08-31 | 2019-05-28 | Redrock Biometrics, Inc. | Blue/violet light touchless palm print identification |
| US20180270215A1 (en)* | 2017-03-16 | 2018-09-20 | Ca, Inc. | Personal assurance message over sms and email to prevent phishing attacks |
| US10645079B2 (en) | 2017-05-12 | 2020-05-05 | Bank Of America Corporation | Preventing unauthorized access to secured information systems using authentication tokens and multi-device authentication prompts |
| IL253632B (en) | 2017-07-24 | 2022-01-01 | Sensepass Ltd | System and method for distance based secured communication over an unsecure communication channel |
| EP3594843A1 (en)* | 2018-07-10 | 2020-01-15 | Klaxoon | Improved scalable architecture of servers providing access to data content |
| US11188913B2 (en)* | 2019-01-11 | 2021-11-30 | Capital One Services, Llc | Systems and methods for securely verifying a subset of personally identifiable information |
| US10706704B1 (en)* | 2019-07-25 | 2020-07-07 | Bank Of America Corporation | Utilizing a high generation cellular network for identifying devices associated with unauthorized activities and notifying enterprise facilities |
| US11182995B1 (en)* | 2019-11-25 | 2021-11-23 | Wells Fargo Bank, N.A. | Systems and methods for remotely accessing secured spaces |
| US11582220B2 (en)* | 2020-03-31 | 2023-02-14 | Konica Minolta Business Solutions U.S.A., Inc. | Authentication server and method that allow user to log into application or service provided via client devices |
| US12093371B2 (en) | 2020-05-28 | 2024-09-17 | Red Hat, Inc. | Data distribution using a trusted execution environment in an untrusted device |
| US11971980B2 (en)* | 2020-05-28 | 2024-04-30 | Red Hat, Inc. | Using trusted execution environments to perform a communal operation for mutually-untrusted devices |
| US11947659B2 (en) | 2020-05-28 | 2024-04-02 | Red Hat, Inc. | Data distribution across multiple devices using a trusted execution environment in a mobile device |
| US11848924B2 (en)* | 2020-10-12 | 2023-12-19 | Red Hat, Inc. | Multi-factor system-to-system authentication using secure execution environments |
| US11783065B2 (en) | 2020-11-25 | 2023-10-10 | International Business Machines Corporation | Business data protection for running tasks in computer system |
| JP7668380B2 (en)* | 2021-05-07 | 2025-04-24 | ホアウェイ・テクノロジーズ・カンパニー・リミテッド | Method and apparatus for provisioning, authentication, authorization, and user equipment (UE) key generation and distribution in on-demand networks - Patents.com |
| JP7507186B2 (en) | 2022-02-08 | 2024-06-27 | エイチ・シー・ネットワークス株式会社 | How to handle network systems and single sign-on |
| CN114915500B (en)* | 2022-07-15 | 2022-10-14 | 北京热源汇盈网络科技有限公司 | Self-media account management method and device based on PC desktop client |
| US12120152B2 (en) | 2022-07-20 | 2024-10-15 | Nvidia Corporation | Preemptive processing of authentication requests for unified access management systems and applications |
| US12120122B2 (en)* | 2022-07-20 | 2024-10-15 | Nvidia Corporation | Processing authentication requests for unified access management systems and applications |
| US20240045988A1 (en)* | 2022-08-04 | 2024-02-08 | Skyflow Inc | Enhanced user security through a middle tier access application |
| US20240080313A1 (en)* | 2022-09-02 | 2024-03-07 | Cisco Technology, Inc. | Authentication (authn) and authorization (authz) binding for secure network access |
| US12189757B2 (en)* | 2022-11-09 | 2025-01-07 | Jpmorgan Chase Bank, N.A. | System, method, and computer program for smart secret rotator |
| CN119094590A (en)* | 2024-08-23 | 2024-12-06 | 中移物联网有限公司 | Information transmission method, device, equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070136573A1 (en)* | 2005-12-05 | 2007-06-14 | Joseph Steinberg | System and method of using two or more multi-factor authentication mechanisms to authenticate online parties |
| US20070199053A1 (en)* | 2006-02-13 | 2007-08-23 | Tricipher, Inc. | Flexible and adjustable authentication in cyberspace |
| US20070200597A1 (en)* | 2006-02-28 | 2007-08-30 | Oakland Steven F | Clock generator having improved deskewer |
| CN101410803A (en)* | 2006-01-24 | 2009-04-15 | 思杰系统有限公司 | Methods and systems for providing access to a computing environment |
| CN102457484A (en)* | 2010-10-26 | 2012-05-16 | 镇江精英软件科技有限公司 | Method for checking user information by combining user name/password authentication and check code |
| US20130111208A1 (en)* | 2011-10-31 | 2013-05-02 | Jason Allen Sabin | Techniques for authentication via a mobile device |
| US8555355B2 (en)* | 2010-12-07 | 2013-10-08 | Verizon Patent And Licensing Inc. | Mobile pin pad |
| CN103563294A (en)* | 2011-06-30 | 2014-02-05 | 国际商业机器公司 | Authentication and authorization methods for cloud computing platform security |
| CN103716326A (en)* | 2013-12-31 | 2014-04-09 | 华为技术有限公司 | Resource access method and URG |
| US20140214688A1 (en)* | 2011-08-31 | 2014-07-31 | Ping Identity Corporation | System and method for secure transaction process via mobile device |
| CN104468119A (en)* | 2014-11-21 | 2015-03-25 | 上海瀚之友信息技术服务有限公司 | One-time password authentication system and method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5636280A (en) | 1994-10-31 | 1997-06-03 | Kelly; Tadhg | Dual key reflexive encryption security system |
| US6412077B1 (en) | 1999-01-14 | 2002-06-25 | Cisco Technology, Inc. | Disconnect policy for distributed computing systems |
| US6892307B1 (en) | 1999-08-05 | 2005-05-10 | Sun Microsystems, Inc. | Single sign-on framework with trust-level mapping to authentication requirements |
| US6609198B1 (en) | 1999-08-05 | 2003-08-19 | Sun Microsystems, Inc. | Log-on service providing credential level change without loss of session continuity |
| US6950949B1 (en) | 1999-10-08 | 2005-09-27 | Entrust Limited | Method and apparatus for password entry using dynamic interface legitimacy information |
| JP2001117873A (en)* | 1999-10-19 | 2001-04-27 | Hitachi Ltd | Terminal identification method |
| US6246769B1 (en) | 2000-02-24 | 2001-06-12 | Michael L. Kohut | Authorized user verification by sequential pattern recognition and access code acquisition |
| US7086085B1 (en) | 2000-04-11 | 2006-08-01 | Bruce E Brown | Variable trust levels for authentication |
| JP3855595B2 (en) | 2000-04-25 | 2006-12-13 | 株式会社日立製作所 | COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION DEVICE |
| US7590684B2 (en) | 2001-07-06 | 2009-09-15 | Check Point Software Technologies, Inc. | System providing methodology for access control with cooperative enforcement |
| GB0119629D0 (en) | 2001-08-10 | 2001-10-03 | Cryptomathic As | Data certification method and apparatus |
| US7076797B2 (en) | 2001-10-05 | 2006-07-11 | Microsoft Corporation | Granular authorization for network user sessions |
| US7562222B2 (en) | 2002-05-10 | 2009-07-14 | Rsa Security Inc. | System and method for authenticating entities to users |
| JP2004198872A (en) | 2002-12-20 | 2004-07-15 | Sony Electronics Inc | Terminal device and server |
| EP1434404B1 (en) | 2002-12-20 | 2005-03-16 | Alcatel | Method and system to provide authentication for a user |
| US7283048B2 (en) | 2003-02-03 | 2007-10-16 | Ingrid, Inc. | Multi-level meshed security network |
| US20040215750A1 (en) | 2003-04-28 | 2004-10-28 | Stilp Louis A. | Configuration program for a security system |
| WO2004111940A1 (en) | 2003-06-16 | 2004-12-23 | Yokohama Tlo Co., Ltd. | Personal identification device and system having personal identification device |
| US7395424B2 (en) | 2003-07-17 | 2008-07-01 | International Business Machines Corporation | Method and system for stepping up to certificate-based authentication without breaking an existing SSL session |
| US7724700B1 (en) | 2003-08-25 | 2010-05-25 | Cisco Technology, Inc. | Application server-centric quality of service management in network communications |
| US8128474B2 (en) | 2004-03-05 | 2012-03-06 | Cantor Index, Llc | Computer graphics processing methods and systems for presentation of graphics objects or text in a wagering environment |
| WO2005084149A2 (en) | 2004-03-09 | 2005-09-15 | Ktfreetel Co., Ltd. | Method and system for detailed accounting of packet data |
| JP2006311529A (en)* | 2005-03-30 | 2006-11-09 | Seiko Epson Corp | Authentication system and authentication method thereof, authentication server and authentication method thereof, recording medium, and program |
| US7574212B2 (en) | 2005-06-22 | 2009-08-11 | Sprint Spectrum L.P. | Method and system for managing communication sessions during multi-mode mobile station handoff |
| US20070037552A1 (en)* | 2005-08-11 | 2007-02-15 | Timothy Lee | Method and system for performing two factor mutual authentication |
| CN101495956B (en) | 2005-08-11 | 2012-03-07 | 晟碟以色列有限公司 | Extended one-time password method and apparatus |
| US20070125840A1 (en) | 2005-12-06 | 2007-06-07 | Boncle, Inc. | Extended electronic wallet management |
| US20070130463A1 (en) | 2005-12-06 | 2007-06-07 | Eric Chun Wah Law | Single one-time password token with single PIN for access to multiple providers |
| US7904946B1 (en) | 2005-12-09 | 2011-03-08 | Citicorp Development Center, Inc. | Methods and systems for secure user authentication |
| JP4693171B2 (en)* | 2006-03-17 | 2011-06-01 | 株式会社日立ソリューションズ | Authentication system |
| US8010996B2 (en) | 2006-07-17 | 2011-08-30 | Yahoo! Inc. | Authentication seal for online applications |
| US8671444B2 (en) | 2006-10-06 | 2014-03-11 | Fmr Llc | Single-party, secure multi-channel authentication for access to a resource |
| US20080120507A1 (en)* | 2006-11-21 | 2008-05-22 | Shakkarwar Rajesh G | Methods and systems for authentication of a user |
| US8156536B2 (en) | 2006-12-01 | 2012-04-10 | Cisco Technology, Inc. | Establishing secure communication sessions in a communication network |
| US8032922B2 (en) | 2006-12-18 | 2011-10-04 | Oracle International Corporation | Method and apparatus for providing access to an application-resource |
| EP2168085A2 (en) | 2007-06-20 | 2010-03-31 | Mchek India Payment Systems PVT. LTD. | A method and system for secure authentication |
| US9009327B2 (en) | 2007-08-03 | 2015-04-14 | Citrix Systems, Inc. | Systems and methods for providing IIP address stickiness in an SSL VPN session failover environment |
| US8122251B2 (en) | 2007-09-19 | 2012-02-21 | Alcatel Lucent | Method and apparatus for preventing phishing attacks |
| US8209209B2 (en) | 2007-10-02 | 2012-06-26 | Incontact, Inc. | Providing work, training, and incentives to company representatives in contact handling systems |
| US8302167B2 (en) | 2008-03-11 | 2012-10-30 | Vasco Data Security, Inc. | Strong authentication token generating one-time passwords and signatures upon server credential verification |
| KR101496329B1 (en) | 2008-03-28 | 2015-02-26 | 삼성전자주식회사 | Method and apparatus for adjusting device security level of a network |
| US8584196B2 (en) | 2008-05-05 | 2013-11-12 | Oracle International Corporation | Technique for efficiently evaluating a security policy |
| US8006291B2 (en) | 2008-05-13 | 2011-08-23 | Veritrix, Inc. | Multi-channel multi-factor authentication |
| US8339954B2 (en) | 2008-05-16 | 2012-12-25 | Cisco Technology, Inc. | Providing trigger based traffic management |
| US8141140B2 (en) | 2008-05-23 | 2012-03-20 | Hsbc Technologies Inc. | Methods and systems for single sign on with dynamic authentication levels |
| US7523309B1 (en) | 2008-06-27 | 2009-04-21 | International Business Machines Corporation | Method of restricting access to emails by requiring multiple levels of user authentication |
| US8738488B2 (en)* | 2008-08-12 | 2014-05-27 | Branch Banking & Trust Company | Method for business on-line account opening with early warning system |
| US8327422B1 (en) | 2008-09-26 | 2012-12-04 | Emc Corporation | Authenticating a server device using dynamically generated representations |
| MY178936A (en)* | 2008-11-10 | 2020-10-23 | Entrust Datacard Denmark As | Method and system protecting against identity theft or replication abuse |
| US8281379B2 (en) | 2008-11-13 | 2012-10-02 | Vasco Data Security, Inc. | Method and system for providing a federated authentication service with gradual expiration of credentials |
| US8843997B1 (en) | 2009-01-02 | 2014-09-23 | Resilient Network Systems, Inc. | Resilient trust network services |
| NO332479B1 (en) | 2009-03-02 | 2012-09-24 | Encap As | Procedure and computer program for verifying one-time password between server and mobile device using multiple channels |
| US8863270B2 (en) | 2009-05-22 | 2014-10-14 | Raytheon Company | User interface for providing voice communications over a multi-level secure network |
| US9130903B2 (en) | 2009-07-01 | 2015-09-08 | Citrix Systems, Inc. | Unified out of band management system for desktop and server sessions |
| US8453224B2 (en) | 2009-10-23 | 2013-05-28 | Novell, Inc. | Single sign-on authentication |
| US10956867B2 (en)* | 2010-03-31 | 2021-03-23 | Airstrip Ip Holdings, Llc | Multi-factor authentication for remote access of patient data |
| US8572268B2 (en) | 2010-06-23 | 2013-10-29 | International Business Machines Corporation | Managing secure sessions |
| US8490165B2 (en) | 2010-06-23 | 2013-07-16 | International Business Machines Corporation | Restoring secure sessions |
| US8312519B1 (en) | 2010-09-30 | 2012-11-13 | Daniel V Bailey | Agile OTP generation |
| US8806591B2 (en) | 2011-01-07 | 2014-08-12 | Verizon Patent And Licensing Inc. | Authentication risk evaluation |
| US9191375B2 (en) | 2011-01-13 | 2015-11-17 | Infosys Limited | System and method for accessing integrated applications in a single sign-on enabled enterprise solution |
| US8549145B2 (en) | 2011-02-08 | 2013-10-01 | Aventura Hq, Inc. | Pre-access location-based rule initiation in a virtual computing environment |
| US8640214B2 (en) | 2011-03-07 | 2014-01-28 | Gemalto Sa | Key distribution for unconnected one-time password tokens |
| US8763097B2 (en) | 2011-03-11 | 2014-06-24 | Piyush Bhatnagar | System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication |
| WO2012156785A1 (en) | 2011-05-13 | 2012-11-22 | Shenoy Gurudatt | Systems and methods for device based password-less user authentication using encryption |
| US8856893B2 (en) | 2011-06-09 | 2014-10-07 | Hao Min | System and method for an ATM electronic lock system |
| US8677464B2 (en) | 2011-06-22 | 2014-03-18 | Schweitzer Engineering Laboratories Inc. | Systems and methods for managing secure communication sessions with remote devices |
| US8627438B1 (en) | 2011-09-08 | 2014-01-07 | Amazon Technologies, Inc. | Passwordless strong authentication using trusted devices |
| US8954758B2 (en) | 2011-12-20 | 2015-02-10 | Nicolas LEOUTSARAKOS | Password-less security and protection of online digital assets |
| US9438575B2 (en) | 2011-12-22 | 2016-09-06 | Paypal, Inc. | Smart phone login using QR code |
| EP3576343A1 (en) | 2011-12-27 | 2019-12-04 | INTEL Corporation | Authenticating to a network via a device-specific one time password |
| KR101236544B1 (en) | 2012-01-12 | 2013-03-15 | 주식회사 엘지씨엔에스 | Payment method and payment gateway, mobile terminal and time certificate issuing server associated with the same |
| US10120847B2 (en) | 2012-01-27 | 2018-11-06 | Usablenet Inc. | Methods for transforming requests for web content and devices thereof |
| US20130205373A1 (en) | 2012-02-08 | 2013-08-08 | Aventura Hq, Inc. | Adapting authentication flow based on workflow events |
| US8898765B2 (en) | 2012-02-15 | 2014-11-25 | Oracle International Corporation | Signing off from multiple domains accessible using single sign-on |
| US8935777B2 (en) | 2012-02-17 | 2015-01-13 | Ebay Inc. | Login using QR code |
| US8578476B2 (en) | 2012-03-23 | 2013-11-05 | Ca, Inc. | System and method for risk assessment of login transactions through password analysis |
| US8856892B2 (en) | 2012-06-27 | 2014-10-07 | Sap Ag | Interactive authentication |
| CN103532919B (en) | 2012-07-06 | 2018-06-12 | 腾讯科技(深圳)有限公司 | User account keeps logging in the method and system of state |
| US20140047233A1 (en) | 2012-08-07 | 2014-02-13 | Jeffrey T. Kalin | System and methods for automated transaction key generation and authentication |
| US9554389B2 (en) | 2012-08-31 | 2017-01-24 | Qualcomm Incorporated | Selectively allocating quality of service to support multiple concurrent sessions for a client device |
| GB2505710A (en) | 2012-09-11 | 2014-03-12 | Barclays Bank Plc | Registration method and system for secure online banking |
| US9083691B2 (en) | 2012-09-14 | 2015-07-14 | Oracle International Corporation | Fine-grained user authentication and activity tracking |
| US9092607B2 (en) | 2012-10-01 | 2015-07-28 | Oracle International Corporation | Dynamic flow control for access managers |
| US9218476B1 (en) | 2012-11-07 | 2015-12-22 | Amazon Technologies, Inc. | Token based one-time password security |
| US8625796B1 (en) | 2012-11-30 | 2014-01-07 | Mourad Ben Ayed | Method for facilitating authentication using proximity |
| EP2743857A1 (en) | 2012-12-13 | 2014-06-18 | Gemalto SA | Methof for allowing establishment of a secure session between a device and a server |
| US8966591B2 (en) | 2013-01-18 | 2015-02-24 | Ca, Inc. | Adaptive strike count policy |
| US20140279445A1 (en) | 2013-03-18 | 2014-09-18 | Tencent Technology (Shenzhen) Company Limited | Method, Apparatus, and System for Processing Transactions |
| CN103220280A (en) | 2013-04-03 | 2013-07-24 | 天地融科技股份有限公司 | Dynamic password token and data transmission method and system for dynamic password token |
| US9569472B2 (en) | 2013-06-06 | 2017-02-14 | Oracle International Corporation | System and method for providing a second level connection cache for use with a database environment |
| GB2515289A (en)* | 2013-06-17 | 2014-12-24 | Mastercard International Inc | Display card with user interface |
| EP2821972B1 (en) | 2013-07-05 | 2020-04-08 | Assa Abloy Ab | Key device and associated method, computer program and computer program product |
| CN103366111B (en)* | 2013-07-10 | 2016-02-24 | 公安部第三研究所 | Mobile device realizes the method for smart card extended authentication control based on Quick Response Code |
| US9787657B2 (en) | 2013-09-19 | 2017-10-10 | Oracle International Corporation | Privileged account plug-in framework—usage policies |
| US9866640B2 (en) | 2013-09-20 | 2018-01-09 | Oracle International Corporation | Cookie based session management |
| US9544293B2 (en) | 2013-09-20 | 2017-01-10 | Oracle International Corporation | Global unified session identifier across multiple data centers |
| US9742757B2 (en) | 2013-11-27 | 2017-08-22 | International Business Machines Corporation | Identifying and destroying potentially misappropriated access tokens |
| US9202035B1 (en) | 2013-12-18 | 2015-12-01 | Emc Corporation | User authentication based on biometric handwriting aspects of a handwritten code |
| US10212143B2 (en) | 2014-01-31 | 2019-02-19 | Dropbox, Inc. | Authorizing an untrusted client device for access on a content management system |
| US9537661B2 (en) | 2014-02-28 | 2017-01-03 | Verizon Patent And Licensing Inc. | Password-less authentication service |
| US9560076B2 (en) | 2014-03-19 | 2017-01-31 | Verizon Patent And Licensing Inc. | Secure trust-scored distributed multimedia collaboration session |
| US10079826B2 (en) | 2014-03-19 | 2018-09-18 | BluInk Ltd. | Methods and systems for data entry |
| US10136315B2 (en) | 2014-04-17 | 2018-11-20 | Guang Gong | Password-less authentication system, method and device |
| US11030587B2 (en)* | 2014-04-30 | 2021-06-08 | Mastercard International Incorporated | Systems and methods for providing anonymized transaction data to third-parties |
| US10270780B2 (en) | 2014-08-18 | 2019-04-23 | Dropbox, Inc. | Access management using electronic images |
| GB2529632A (en) | 2014-08-26 | 2016-03-02 | Ibm | Authentication management |
| US9495522B2 (en) | 2014-09-03 | 2016-11-15 | Microsoft Technology Licensing, Llc | Shared session techniques |
| CN104660412A (en) | 2014-10-22 | 2015-05-27 | 南京泽本信息技术有限公司 | Password-less security authentication method and system for mobile equipment |
| US10547599B1 (en) | 2015-02-19 | 2020-01-28 | Amazon Technologies, Inc. | Multi-factor authentication for managed directories |
| EP3262815B1 (en) | 2015-02-24 | 2020-10-14 | Cisco Technology, Inc. | System and method for securing an enterprise computing environment |
| EP3065366B1 (en) | 2015-03-02 | 2020-09-09 | Bjoern Pirrwitz | Identification and/or authentication system and method |
| US10250594B2 (en) | 2015-03-27 | 2019-04-02 | Oracle International Corporation | Declarative techniques for transaction-specific authentication |
| US9769147B2 (en) | 2015-06-29 | 2017-09-19 | Oracle International Corporation | Session activity tracking for session adoption across multiple data centers |
| US10693859B2 (en) | 2015-07-30 | 2020-06-23 | Oracle International Corporation | Restricting access for a single sign-on (SSO) session |
| SG10201508081TA (en)* | 2015-09-29 | 2017-04-27 | Mastercard International Inc | Method and system for dynamic pin authorisation for atm or pos transactions |
| US10225283B2 (en) | 2015-10-22 | 2019-03-05 | Oracle International Corporation | Protection against end user account locking denial of service (DOS) |
| US10164971B2 (en) | 2015-10-22 | 2018-12-25 | Oracle International Corporation | End user initiated access server authenticity check |
| US10257205B2 (en) | 2015-10-22 | 2019-04-09 | Oracle International Corporation | Techniques for authentication level step-down |
| WO2017070412A1 (en) | 2015-10-23 | 2017-04-27 | Oracle International Corporation | Password-less authentication for access management |
| US10038787B2 (en) | 2016-05-06 | 2018-07-31 | Genesys Telecommunications Laboratories, Inc. | System and method for managing and transitioning automated chat conversations |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070136573A1 (en)* | 2005-12-05 | 2007-06-14 | Joseph Steinberg | System and method of using two or more multi-factor authentication mechanisms to authenticate online parties |
| CN101410803A (en)* | 2006-01-24 | 2009-04-15 | 思杰系统有限公司 | Methods and systems for providing access to a computing environment |
| US20070199053A1 (en)* | 2006-02-13 | 2007-08-23 | Tricipher, Inc. | Flexible and adjustable authentication in cyberspace |
| US20070200597A1 (en)* | 2006-02-28 | 2007-08-30 | Oakland Steven F | Clock generator having improved deskewer |
| CN102457484A (en)* | 2010-10-26 | 2012-05-16 | 镇江精英软件科技有限公司 | Method for checking user information by combining user name/password authentication and check code |
| US8555355B2 (en)* | 2010-12-07 | 2013-10-08 | Verizon Patent And Licensing Inc. | Mobile pin pad |
| CN103563294A (en)* | 2011-06-30 | 2014-02-05 | 国际商业机器公司 | Authentication and authorization methods for cloud computing platform security |
| US20140214688A1 (en)* | 2011-08-31 | 2014-07-31 | Ping Identity Corporation | System and method for secure transaction process via mobile device |
| US20130111208A1 (en)* | 2011-10-31 | 2013-05-02 | Jason Allen Sabin | Techniques for authentication via a mobile device |
| CN103716326A (en)* | 2013-12-31 | 2014-04-09 | 华为技术有限公司 | Resource access method and URG |
| CN104468119A (en)* | 2014-11-21 | 2015-03-25 | 上海瀚之友信息技术服务有限公司 | One-time password authentication system and method |
| Title |
|---|
| JIM YOULL: "Fraud Vulnerability in Sitekey Security at Bank of America", 《REVIEW DRAFT TO BANK OF AMERICA/RSA》* |
| RACHNA DHAMIJA 等: "Phish and HIPs:Human Interactive Proofs to Detect Phishing Attacks", 《HUMAN INTERACTIVE PROOFS,SECOND INTERNATIONAL WORKSHOP ON HUMANINTERACTIVE PROOFS(HIP 2005)》* |
| XIONG JINBO 等: "PRIAM:Privacy Preserving Identity and Access Management Scheme in Cloud", 《KSII TRANSACTION ON INTERNET AND INFORMATION SYSTEMS(TIIS)》* |
| 冯朝胜 等: "云计算环境下访问控制关键技术", 《电子学报》* |
| 徐秀玲: "单点登录系统的研究与设计", 《中国优秀硕士学位论文全文数据库 信息科技辑》* |
| 陈占芳 等: "一种交互式身份认证及访问控制安全信息平台的设计与实现", 《长春理工大学学报(自然科学版)》* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112242015A (en)* | 2019-07-19 | 2021-01-19 | 开利公司 | Method and system for accessing a system |
| CN112242015B (en)* | 2019-07-19 | 2025-03-18 | 霍尼韦尔国际公司 | Method and system for accessing a system |
| CN112433985A (en)* | 2019-08-26 | 2021-03-02 | 国际商业机器公司 | Controlling the composition of information submitted to a computing system |
| Publication number | Publication date |
|---|---|
| EP3365827A1 (en) | 2018-08-29 |
| US20190089698A1 (en) | 2019-03-21 |
| US10164971B2 (en) | 2018-12-25 |
| JP2018533141A (en) | 2018-11-08 |
| US20170118202A1 (en) | 2017-04-27 |
| CN114726621B (en) | 2024-05-24 |
| WO2017069800A1 (en) | 2017-04-27 |
| CN114726621A (en) | 2022-07-08 |
| JP6707127B2 (en) | 2020-06-10 |
| CN108351933B (en) | 2022-04-22 |
| EP3365827B1 (en) | 2019-09-18 |
| US10666643B2 (en) | 2020-05-26 |
| Publication | Publication Date | Title |
|---|---|---|
| US10666643B2 (en) | End user initiated access server authenticity check | |
| US11843611B2 (en) | Framework for multi-level and multi-factor inline enrollment | |
| US10735196B2 (en) | Password-less authentication for access management | |
| US10462142B2 (en) | Techniques for implementing a data storage device as a security device for managing access to resources | |
| US10157275B1 (en) | Techniques for access management based on multi-factor authentication including knowledge-based authentication | |
| US10257205B2 (en) | Techniques for authentication level step-down | |
| US10693859B2 (en) | Restricting access for a single sign-on (SSO) session | |
| US10581826B2 (en) | Run-time trust management system for access impersonation | |
| US10225283B2 (en) | Protection against end user account locking denial of service (DOS) | |
| EP3915026B1 (en) | Browser login sessions via non-extractable asymmetric keys | |
| US10826886B2 (en) | Techniques for authentication using push notifications | |
| CN113918914B (en) | Passwordless authentication for access management |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |